10341000x80000000000000006796Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:44.886{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-0104-615C-3201-00000000FC01}3008C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006795Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:44.886{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006794Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:44.886{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006793Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:44.886{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006792Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:44.886{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006791Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:44.886{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006790Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:44.886{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006789Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:44.886{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006788Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:44.886{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006787Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:44.886{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006786Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:44.886{49C67628-FDEB-615B-0500-00000000FC01}4161032C:\Windows\system32\csrss.exe{49C67628-0104-615C-3201-00000000FC01}3008C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000006785Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:44.886{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-0104-615C-3201-00000000FC01}3008C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000006784Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:44.887{49C67628-0104-615C-3201-00000000FC01}3008C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000006783Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:42.964{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49845-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000006782Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:44.418{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3F98004291AEFDE3A73AA3F1E24E033,SHA256=9150CF84DB794F728F9A99889DD77CD179BD234A3A2C9FF15A4A7BE7E5804F57,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022396Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:38:44.741{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-0104-615C-0105-00000000FB01}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022395Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:38:44.741{6EDEAD03-FC1D-615B-0C00-00000000FB01}848988C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022394Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:38:44.741{6EDEAD03-FC1D-615B-0C00-00000000FB01}848988C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022393Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:38:44.741{6EDEAD03-FC1D-615B-0C00-00000000FB01}848988C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022392Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:38:44.741{6EDEAD03-FC1D-615B-0C00-00000000FB01}848988C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022391Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:38:44.741{6EDEAD03-FC1A-615B-0500-00000000FB01}4122304C:\Windows\system32\csrss.exe{6EDEAD03-0104-615C-0105-00000000FB01}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022390Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:38:44.741{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-0104-615C-0105-00000000FB01}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000022389Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:38:44.742{6EDEAD03-0104-615C-0105-00000000FB01}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022388Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:38:44.272{6EDEAD03-0104-615C-0005-00000000FB01}63085440C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000022387Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:38:44.256{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=626AFAD9846CD4117BC96A1C4127B93E,SHA256=FF4FA84FFB6DB7497BFECAA6C56A2D8DB0C1A37FE35D7FD6596BAA7AE12976DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022386Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:38:44.210{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=76F2ECFC954A1A9336CBFDA4904F894B,SHA256=C7DEEF5E79E08DBE66B7DDC0E924CBE23568E008A33AA850E2426C3FF3B71366,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022385Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:38:44.069{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-0104-615C-0005-00000000FB01}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022384Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:38:44.069{6EDEAD03-FC1D-615B-0C00-00000000FB01}848988C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022383Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:38:44.069{6EDEAD03-FC1D-615B-0C00-00000000FB01}848988C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022382Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:38:44.069{6EDEAD03-FC1D-615B-0C00-00000000FB01}848988C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022381Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:38:44.069{6EDEAD03-FC1D-615B-0C00-00000000FB01}848988C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022380Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:38:44.069{6EDEAD03-FC1A-615B-0500-00000000FB01}412528C:\Windows\system32\csrss.exe{6EDEAD03-0104-615C-0005-00000000FB01}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022379Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:38:44.069{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-0104-615C-0005-00000000FB01}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000022378Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:38:44.070{6EDEAD03-0104-615C-0005-00000000FB01}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000006813Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:45.902{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A6EBA84193DAA867FE262F9F28BF84B,SHA256=E3E25F040A30896D6A8B87F425F285C6C2C1F8DDC5FA01401EAFF12995BEE574,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006812Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:45.902{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=722ACB7E298526C0BEA6BBA9833BDE96,SHA256=399F6630B4A73C7D0AE7799AA59BFF8E3DCB093D37EA0D13654B2A5B94087641,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006811Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:45.621{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=167029A5A3158C15ABBF55A06C6433C1,SHA256=9CCAC5820238BF855957575CA6F727D36C2C6CDD3FE166DFD0F15A9127E0ACAC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006810Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:45.574{49C67628-0105-615C-3301-00000000FC01}1844520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000022398Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:38:45.835{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=98EA76BEDB4C6C7B14C0529C72A5ADC4,SHA256=4D97FED8BFD4BECB5A3482B25AD9FB0DA6631ABAA79C5B162ED65702281079D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022397Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:38:45.257{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05A06C9C0119237750746F868F6A4341,SHA256=87C9E10A68914A9CE5AB13516BC2E29DB32F364AC8999DBBB3E671EBD937A4C8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006809Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:45.386{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-0105-615C-3301-00000000FC01}1844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006808Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:45.386{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006807Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:45.386{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006806Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:45.386{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006805Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:45.386{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006804Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:45.386{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006803Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:45.386{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006802Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:45.386{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006801Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:45.386{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006800Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:45.386{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006799Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:45.386{49C67628-FDEB-615B-0500-00000000FC01}416532C:\Windows\system32\csrss.exe{49C67628-0105-615C-3301-00000000FC01}1844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000006798Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:45.386{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-0105-615C-3301-00000000FC01}1844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000006797Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:45.387{49C67628-0105-615C-3301-00000000FC01}1844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000006828Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:46.699{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C840E54CC4D46A521FD389C47B3D891B,SHA256=AC37215310B41FAA675D8F2E7AB7ED4AD36A87D406C349BAD79B9368F7FED0FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022399Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:38:46.272{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC5DFBD2C41086F98B0FAA7026AC6206,SHA256=58AA3F631FDC24C65E75B3836067727D19922147A8690632F2F1601D0234C6E6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000006827Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:44.073{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49846-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000006826Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:46.027{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-0106-615C-3401-00000000FC01}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006825Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:46.027{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006824Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:46.027{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006823Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:46.027{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006822Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:46.027{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006821Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:46.027{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006820Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:46.027{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006819Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:46.027{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006818Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:46.027{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006817Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:46.027{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006816Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:46.027{49C67628-FDEB-615B-0500-00000000FC01}416532C:\Windows\system32\csrss.exe{49C67628-0106-615C-3401-00000000FC01}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000006815Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:46.027{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-0106-615C-3401-00000000FC01}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000006814Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:46.028{49C67628-0106-615C-3401-00000000FC01}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000006844Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:47.918{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8DE6670F1DD5B0A0F47C4B56750283A,SHA256=1B5D9CE21BD5F3FF97A874DA21812D9ECDD26240E5EE1DC36BC35C2687B7E9D0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022435Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:38:47.975{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6E-615B-2103-00000000FB01}5980C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022434Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:38:47.975{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6E-615B-2103-00000000FB01}5980C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022433Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:38:47.975{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6E-615B-2103-00000000FB01}5980C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022432Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:38:47.975{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6E-615B-2103-00000000FB01}5980C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022431Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:38:47.975{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6E-615B-2103-00000000FB01}5980C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022430Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:38:47.975{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6E-615B-2103-00000000FB01}5980C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022429Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:38:47.975{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6E-615B-2103-00000000FB01}5980C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022428Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:38:47.975{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6E-615B-2103-00000000FB01}5980C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022427Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:38:47.975{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2700-00000000FB01}2896C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022426Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:38:47.975{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2700-00000000FB01}2896C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022425Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:38:47.975{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022424Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:38:47.975{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022423Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:38:47.975{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022422Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:38:47.975{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022421Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:38:47.975{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022420Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:38:47.975{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022419Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:38:47.975{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022418Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:38:47.975{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022417Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:38:47.975{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022416Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:38:47.975{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022415Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:38:47.975{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022414Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:38:47.975{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022413Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:38:47.975{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022412Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:38:47.975{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022411Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:38:47.975{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022410Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:38:47.975{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022409Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:38:47.975{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022408Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:38:47.975{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022407Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:38:47.975{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022406Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:38:47.975{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022405Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:38:47.975{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022404Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:38:47.975{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022403Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:38:47.975{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022402Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:38:47.975{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022401Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:38:47.975{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000022400Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:38:47.288{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F25EEF49C61040A87C24B39201AE3DE,SHA256=343AD292FD9D4B120C9C737BAD0F5C91E802054F68AF8AE44F7AB4A2D1424611,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006843Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:47.418{49C67628-0107-615C-3501-00000000FC01}25762848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000006842Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:47.184{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A6EBA84193DAA867FE262F9F28BF84B,SHA256=E3E25F040A30896D6A8B87F425F285C6C2C1F8DDC5FA01401EAFF12995BEE574,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006841Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:47.170{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-0107-615C-3501-00000000FC01}2576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006840Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:47.170{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006839Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:47.170{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006838Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:47.170{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006837Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:47.170{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006836Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:47.170{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006835Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:47.170{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006834Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:47.170{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006833Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:47.170{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006832Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:47.170{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006831Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:47.170{49C67628-FDEB-615B-0500-00000000FC01}4161032C:\Windows\system32\csrss.exe{49C67628-0107-615C-3501-00000000FC01}2576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000006830Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:47.170{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-0107-615C-3501-00000000FC01}2576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000006829Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:47.171{49C67628-0107-615C-3501-00000000FC01}2576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022437Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:38:48.600{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9F38CBE0E8A3983D82DDA577C80FF08,SHA256=C66574C3E71936E9B9A83BC8AD9864DD6A308311BD224965DCD37BF57CBFB4FC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022436Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:38:45.833{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61880-false10.0.1.12-8000- 10341000x80000000000000006871Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:48.933{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-0108-615C-3701-00000000FC01}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006870Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:48.933{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006869Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:48.933{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006868Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:48.933{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006867Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:48.933{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006866Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:48.933{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006865Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:48.933{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006864Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:48.933{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006863Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:48.933{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006862Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:48.933{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006861Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:48.933{49C67628-FDEB-615B-0500-00000000FC01}416532C:\Windows\system32\csrss.exe{49C67628-0108-615C-3701-00000000FC01}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000006860Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:48.933{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-0108-615C-3701-00000000FC01}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000006859Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:48.934{49C67628-0108-615C-3701-00000000FC01}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000006858Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:48.449{49C67628-0108-615C-3601-00000000FC01}35881344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006857Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:48.261{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-0108-615C-3601-00000000FC01}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006856Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:48.261{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006855Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:48.261{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006854Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:48.261{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006853Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:48.261{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006852Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:48.261{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006851Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:48.261{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006850Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:48.261{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006849Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:48.261{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006848Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:48.261{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006847Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:48.261{49C67628-FDEB-615B-0500-00000000FC01}4161032C:\Windows\system32\csrss.exe{49C67628-0108-615C-3601-00000000FC01}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000006846Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:48.261{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-0108-615C-3601-00000000FC01}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000006845Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:48.262{49C67628-0108-615C-3601-00000000FC01}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022438Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:38:49.444{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EF35A74DBDD14AC3566E7A926670D48,SHA256=4E747E3462A5F2256D2688CBBAF11C4BE18CCE385B34E8596C9D1D7F0EDEE72A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006887Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:49.761{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-0109-615C-3801-00000000FC01}428C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006886Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:49.761{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006885Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:49.761{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006884Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:49.761{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006883Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:49.761{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006882Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:49.761{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006881Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:49.761{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006880Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:49.761{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006879Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:49.761{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006878Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:49.761{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006877Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:49.761{49C67628-FDEB-615B-0500-00000000FC01}416432C:\Windows\system32\csrss.exe{49C67628-0109-615C-3801-00000000FC01}428C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000006876Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:49.761{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-0109-615C-3801-00000000FC01}428C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000006875Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:49.762{49C67628-0109-615C-3801-00000000FC01}428C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000006874Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:49.480{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FCA4A937CAB64F4CA52A3FC83077301,SHA256=9B6925DA5EB7C99131696BA1CCB672FA7C4BD868BECE8745EFF1CB2F5BDBDB04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006873Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:49.480{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=480DA0288C668F4B38449F6096427C77,SHA256=C0BBF17DAD8E8986B908BCE82C1C5FF5CAE31651778B5355C79BEC5D2561C2AE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006872Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:49.183{49C67628-0108-615C-3701-00000000FC01}33003108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000022441Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:38:50.663{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F09F06BFE02C86B9C2055AC9F417A02,SHA256=AA74BD26DE563103A915134C0A188C6E131C3075B509BE0ED7547646BB496AAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006889Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:50.871{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F91138F5F2A6D853C38BEED218400D41,SHA256=65A74B1E7008D3A2F7E09D7FBD5E5C6AE78BFC43E242A3FF7F582B1026FBD343,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006888Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:50.418{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25357BD82D88DB6DBB14B1935E47221C,SHA256=C799769F099499A62C0B352BD99917903DBC0923A5293BC68A1A634119521FEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022440Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:38:50.366{6EDEAD03-FC1D-615B-1200-00000000FB01}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=C6D078A5E7139BB22101720F257D466E,SHA256=B654527B9E2194805BCA6ADFCCA16F9A62FD2173FB2DFD929F9782D9D62B808B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022439Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:38:50.116{6EDEAD03-FC1D-615B-0D00-00000000FB01}9082492C:\Windows\system32\svchost.exe{6EDEAD03-FC1D-615B-1600-00000000FB01}1288C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000022442Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:38:51.694{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F2002758FA84EF07C0BEC7A1A142EE1,SHA256=5B112DEBEF975CE3687D39D1C6DA4253AAF84AFC756FBEAB4DE5390F0A2553E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006891Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:51.465{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3D05DF363B238D1147929B13314B4A1,SHA256=1FF0ED7239E45AC2BE8700C8F7CA056E95541D6C29B18B01B0B1A76BBB47E288,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000006890Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:49.091{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49847-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000022448Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:38:52.772{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D1993C04F6E8D2F0B9ADC5ED778B885,SHA256=69DFDFA00072A599B5C0A2B908A6618EE104216A46CDD666D4F5A898BC12ED1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006893Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:52.985{49C67628-FDEC-615B-1F00-00000000FC01}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04b3958ebc31dc11b\channels\health\respondent-20211005072534-012MD5=9DBD3CF651CAD1963D7DD9E70795396E,SHA256=D00FE5240C0E39CC33FD8ADFFDA13197E8833401D0A3D05F731F6A79B8E00229,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006892Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:52.481{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFB0121BE42112B312C4D88F74B3EF40,SHA256=9CBE7DB4F2BA7C4DED43C987403B8F86522EDDEABE541CA965C532EC23F70015,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022447Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:38:50.043{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-676.attackrange.local53domainfalse10.0.1.14win-dc-676.attackrange.local63701- 354300x800000000000000022446Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:38:50.042{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-676.attackrange.local56857-false10.0.1.14win-dc-676.attackrange.local53domain 354300x800000000000000022445Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:38:50.042{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-676.attackrange.local53domainfalse10.0.1.14win-dc-676.attackrange.local56857- 354300x800000000000000022444Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:38:50.042{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruea00:10e:5f45:5252:c840:3d9e:80e5:ffff-56857-truea00:10e:0:0:0:0:0:0win-dc-676.attackrange.local53domain 354300x800000000000000022443Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:38:50.041{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local54268-true0:0:0:0:0:0:0:1win-dc-676.attackrange.local53domain 23542300x80000000000000006895Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:53.996{49C67628-FDEC-615B-1F00-00000000FC01}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04b3958ebc31dc11b\channels\health\surveyor-20211005072532-013MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006894Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:53.482{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60BD5EA555EDE3C326198A9F0FAD4743,SHA256=B4A2ED098DAC9794BCD84B9CA749585D36994618821AFA7F90D45D810AB2C4E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022450Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:38:53.819{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=610E8FA15AC1C6C7C76134842C53517B,SHA256=A7F4523F55946AFEF6DA0FC61B58FED27C696D650E58050B40475CE4898AF3D1,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000022449Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:38:53.710{6EDEAD03-FC1D-615B-1100-00000000FB01}480C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b9bc-0x0c010488) 23542300x800000000000000022452Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:38:54.850{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ABB30D17330472E056D150170CE7CD3,SHA256=EE466E2EA3F5532C8F0F62478B9A0DF605055DF715B62724D6E7D787611B38B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006896Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:54.494{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC514E08E068CACEA69B807FBBF9AD3E,SHA256=6A2FF2FD94A98D41338DCF06B46859FB1DC8D0D1DAE6E5C7AB4099F250C7E1F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022451Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:38:51.865{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61881-false10.0.1.12-8000- 23542300x800000000000000022453Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:38:55.881{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E365895586912043913EEEAB5FE9F839,SHA256=B5EFC3526350C4DD62B0F8E61058AB51A014E4016A9E065C50198BA6686A8D7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006897Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:55.497{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D779C22BF7325293634E35F6F58C8469,SHA256=6AF2EE400536CBBEE90FC9B339328309798EF46624B72CB58EC81F6C1CA633C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022454Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:38:56.882{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16731E0C5884374A934CA4C372036BF0,SHA256=2E50D258E12B70048C98E1F78F886CAC477CABB4C92A3337FDA0DF43C355667A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000006899Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:55.105{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49848-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000006898Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:56.512{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E4A1270E00A3DE3AD1B9E7542981FCD,SHA256=621ACE6871945D73BA285624EDBD883AE42AC3AADD6891A03441D5AD4B440BAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006900Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:57.524{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CFCFE670580B20E5BF1D7E798F8FC60,SHA256=00203C5A3094B81CA56C627C4E7100A8A472A3DD4BB1C725730F574889CD011C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022455Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:38:57.893{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=310D9794CE42F76E45AAC07C2207ACBC,SHA256=29804E102E97B241F27508918ADCCBDA3D31BAA9CE189A81149D946EAD172B28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022456Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:38:58.925{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AF49DC34976838FFE0C26FA58AB1512,SHA256=72500DB3B65014DA01A150003D77EC9D27AF813C5A3A45D92F790128FF62C4BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006901Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:58.539{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9384CA20718D4BC7A4494C2223973328,SHA256=D29655255048C63048A5F9AB04B6C3DDF1F71B34C210129B7F221FA8B002DAAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022458Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:38:59.925{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=527FF4EA55B839774D9A581A4EF0F7B3,SHA256=CBEE8760515145AED46F37643967B298FE273DFE885AA2CDEBF562794A3C1BB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006902Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:38:59.539{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10315DE835EDB765A61844B648914A2F,SHA256=61E0048FC63952477D35989296707783428683CD0989FC42AB84E4864698D958,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022457Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:38:57.627{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61882-false10.0.1.12-8000- 23542300x800000000000000022459Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:00.940{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7BB784EBC0FA71D42D9350C50DCE5AC,SHA256=4AA804524D9CFAE7CBC012DF2FC3058903093E593A0A2A18DAABDDA48B47CAEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006903Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:00.555{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88195BF7A017BAA387CCCA18DC758368,SHA256=560E13CBB2958BA9337E80D009C7E015CB1770CD5F47D3666D5407C5A9CE36DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022460Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:01.956{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37995E82A8208CE7FA5DAD7694B52587,SHA256=9909BDF394A64D9C35C5E7C6DAE1EDF2EFD0063BDD69F617B473C208CDAFCC59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006904Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:01.571{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34F05AB7F010672E057D91661A0015F1,SHA256=604B18917A90263560DCBEB7A860C45BC1B7083A6D438192546A1BEFB0333A97,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000006906Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:00.210{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49849-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000006905Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:02.571{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=039E59D9DA23B7A06B2E8039AB43D51D,SHA256=551B6388B41ABA4E70071004FABA9E3539FD228BE0200310C61514E8DC67C9CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006907Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:03.586{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F7BCB33571C241C463C84CB8591425C,SHA256=3C10DFB1A382C27CC356088806F775C9DC78984CD3D2435B44CF74CB9189BB45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022461Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:03.018{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19B13B778F6446FC67098E9167EED229,SHA256=38007EB2241500D81718AC238BECE0F219B880F3A93027A05D0FD0E1851577F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006908Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:04.586{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=449D5D0C4775BB769E9C90E36B3C91FA,SHA256=5356F5B29842CE1D73CFACE59FF7499842D6EAAFDFAAD47CCDD3B7F202C17552,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022462Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:04.034{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1751590E2C4773D77AB43401157DE398,SHA256=E0B704A29DD22BD780DD0722A61FB62D707D4923A52F5227C64564868D733813,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006909Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:05.820{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=467B3A25E244766046BB676DF4AAE7E0,SHA256=76156A6DFE43A063C1CBCFA7557D5FC9F12B3DC9E173F6EF4D2B40F8B141F7E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022464Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:05.050{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B45454336E8E8C026687ED59CBF221D5,SHA256=AA1032DF4534BB2F0B8001ADBE0763BAC05BB09F780F00FAD834E33A60D3CFF7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022463Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:02.705{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61883-false10.0.1.12-8000- 23542300x80000000000000006910Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:06.977{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60D5FF5702999B3B58218A49D2C99FD7,SHA256=7C5E72266AAC030C56EB10093CCD8836EE79F2703760DF7023150F316ADE0831,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022465Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:06.050{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7E7E3F1A3809E2EBAAD9295FAF9E2DA,SHA256=8A46D0AD3B41F1188858F148AFAE72CACEAB44C57D10E7401DAD37C6973BAD18,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000006911Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:06.132{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49850-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000022466Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:07.050{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB39691E6D4B05557506F35175D6D104,SHA256=E5F33DC271D2BF8E11EEB76DF9AAFA96D52F850E2E80906690A63F2A7A8C4866,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006912Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:08.211{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAC755413C76130A523E067F468D1385,SHA256=AADA9C4C0F196377BB53788EA56C475168A8C55E50D9493BBEB3D4B097CC178A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022468Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:08.190{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=605E79988B530E3869B96BF7F17CDF7C,SHA256=658716D040E59F3E6DEFA421B4243CD552D840DF0CB62CA314D283E88A32793C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022467Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:08.128{6EDEAD03-FF62-615B-F102-00000000FB01}49805088C:\Windows\System32\taskhostw.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000006913Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:09.258{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A865175F9F9EEB48A5328B91F4EF8F35,SHA256=DF7B2487E1A3845B4145774152EFD886FEFE80C75395563F50B857C458B995B6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022485Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:09.987{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-011D-615C-0305-00000000FB01}5740C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022484Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:09.987{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-011D-615C-0305-00000000FB01}5740C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022483Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:09.987{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-011D-615C-0305-00000000FB01}5740C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022482Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:09.987{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-011D-615C-0305-00000000FB01}5740C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022481Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:09.987{6EDEAD03-FC1D-615B-1600-00000000FB01}12881440C:\Windows\System32\svchost.exe{6EDEAD03-011D-615C-0305-00000000FB01}5740C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022480Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:09.987{6EDEAD03-FC1D-615B-1600-00000000FB01}12881316C:\Windows\System32\svchost.exe{6EDEAD03-011D-615C-0305-00000000FB01}5740C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022479Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:09.972{6EDEAD03-011D-615C-0305-00000000FB01}57405284C:\Windows\system32\conhost.exe{6EDEAD03-011D-615C-0205-00000000FB01}5428C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022478Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:09.956{6EDEAD03-FF5F-615B-E202-00000000FB01}9724272C:\Windows\system32\csrss.exe{6EDEAD03-011D-615C-0305-00000000FB01}5740C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022477Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:09.940{6EDEAD03-FC1D-615B-1300-00000000FB01}10321464C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022476Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:09.940{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022475Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:09.940{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022474Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:09.940{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022473Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:09.940{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022472Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:09.940{6EDEAD03-FF5F-615B-E202-00000000FB01}9723852C:\Windows\system32\csrss.exe{6EDEAD03-011D-615C-0205-00000000FB01}5428C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022471Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:09.940{6EDEAD03-FF62-615B-F802-00000000FB01}50525672C:\Windows\Explorer.EXE{6EDEAD03-011D-615C-0205-00000000FB01}5428C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\windows.storage.dll+ad62a|C:\Windows\System32\windows.storage.dll+ad3e2|C:\Windows\System32\SHELL32.dll+3f8bd|C:\Windows\System32\SHELL32.dll+3e456|C:\Windows\System32\SHELL32.dll+801d1|C:\Windows\System32\SHELL32.dll+6716e|C:\Windows\System32\SHELL32.dll+3d433|C:\Windows\System32\SHELL32.dll+3d2fb|C:\Windows\System32\SHELL32.dll+3cc17|C:\Windows\System32\SHELL32.dll+3c8dc|C:\Windows\System32\SHELL32.dll+e2157|C:\Windows\System32\SHELL32.dll+e20b5 154100x800000000000000022470Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:09.941{6EDEAD03-011D-615C-0205-00000000FB01}5428C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" C:\Users\Administrator\ATTACKRANGE\Administrator{6EDEAD03-FF61-615B-7756-1D0000000000}0x1d56772HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x800000000000000022469Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:09.190{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90EEEEFC8F8EBD92A4CBA4CF3DEA46BD,SHA256=32DDF5F24BC13C2854DB84801D9F220488A6FF21D42F118EADA95FECD7AC30E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006914Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:10.399{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B0B9E0C60BF165ED901B9E75C9624A8,SHA256=CEFC5F39BCAA51DB02F5965243B476F09A84AD6D2E3065145389B032CB925C1F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022496Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:08.720{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61884-false10.0.1.12-8000- 23542300x800000000000000022495Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:10.190{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCAC0704579B76CAABAB8C32A3B497BD,SHA256=25DC53FEE23E4419650FD751A55658BF3335773B468A2A63E99CAC31957FAF94,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022494Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:10.003{6EDEAD03-FF62-615B-F802-00000000FB01}50524504C:\Windows\Explorer.EXE{6EDEAD03-011D-615C-0205-00000000FB01}5428C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022493Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:10.003{6EDEAD03-FF62-615B-F802-00000000FB01}50524504C:\Windows\Explorer.EXE{6EDEAD03-011D-615C-0205-00000000FB01}5428C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022492Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:10.003{6EDEAD03-FF62-615B-F802-00000000FB01}50524504C:\Windows\Explorer.EXE{6EDEAD03-011D-615C-0205-00000000FB01}5428C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022491Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:10.003{6EDEAD03-FF62-615B-F102-00000000FB01}49805088C:\Windows\System32\taskhostw.exe{6EDEAD03-011D-615C-0305-00000000FB01}5740C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022490Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:10.003{6EDEAD03-FF62-615B-F102-00000000FB01}49805088C:\Windows\System32\taskhostw.exe{6EDEAD03-011D-615C-0305-00000000FB01}5740C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022489Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:09.987{6EDEAD03-FF62-615B-F802-00000000FB01}50524500C:\Windows\Explorer.EXE{6EDEAD03-011D-615C-0205-00000000FB01}5428C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022488Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:09.987{6EDEAD03-FF62-615B-F802-00000000FB01}50524500C:\Windows\Explorer.EXE{6EDEAD03-011D-615C-0205-00000000FB01}5428C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022487Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:09.987{6EDEAD03-FF62-615B-F802-00000000FB01}50524500C:\Windows\Explorer.EXE{6EDEAD03-011D-615C-0205-00000000FB01}5428C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022486Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:09.987{6EDEAD03-FF62-615B-F802-00000000FB01}50524500C:\Windows\Explorer.EXE{6EDEAD03-011D-615C-0205-00000000FB01}5428C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000006915Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:11.539{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7CCE6830922FFA2CBADCA1354D21845,SHA256=E35746D12DBECAC2B0E0749B2A2685D8FCD8C47E259290A4E008D4DD7368BBFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022499Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:11.237{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8EFA3A65A4901BEB2006227671B8B37,SHA256=7FA9FFD4F3DE64BF29FD6A6E6DD0329566DE2BC77A9722990EAE73F013C6CAA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022498Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:11.034{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=314EED7D75DD0651B2DE74D719C8B562,SHA256=57878D73DACFDFFA86BFAD4332715F0A9D421C3E867063C0A98094543AD62B59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022497Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:11.034{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7C193D05354FF2E0F1AEC51E04EEF990,SHA256=436451D9283F84C43C7665D2EE1648384E6C4F2F945F9D429A8E656297EE4D60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006916Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:12.648{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A58972AC1051DDCFF2B9E1CA38F4719F,SHA256=5400B7445E6B0CF7A12492856317A887B79BE85F1334FB08FD7BA12BE3AF57B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022500Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:12.253{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22D033599D5FCE4E3348BBA5A98F4963,SHA256=6B277D79485559E6E13B9CC04524F650176134CE784C6713D234DF0AAD4907F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000006918Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:12.179{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49851-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000006917Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:13.648{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5D75FFE8697013B5E89FDA023272264,SHA256=55A3C9DF9E56FFC13544ED87FE1AAC9C8B226CAE9EBC72DFA2E0768F9F4549A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022501Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:13.268{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A63788191650DC90644C77A3BF3B7D77,SHA256=BF6792F37571410F82FEEED657638BDF8F9795D84FB01683D3BDF76FD477E46D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022502Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:14.268{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9A4A2CA7ECEC8AA476DDF8934E66E56,SHA256=60E8817D97A18B99F3E72BD6AACDD60F6EA1E0445E144E031452A14C41F846FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006919Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:14.648{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8913F02EFF395F3D8B537D2410DD7E11,SHA256=1720244DABA9A3A0263369FD4DAA64EB220DE1F1B54889FEAB03F0108318AB44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022503Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:15.487{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E216F441D75D235239D30AE7FBC5220,SHA256=273C362A5F49A414151A272EBF2C10ED17A2946C49CE178493D8D19EC48FB614,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006920Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:15.648{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70F1EF3BE0B082DC024D762894ACF9A5,SHA256=998B3A323D7D75C3F7744EC42670431CF3C1A42170544621AE669AAE3BA973AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006921Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:16.648{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D0186ED942C9F5C47C7284E9F8DD95D,SHA256=5A60AB7769CCADEAA01CFED2ADB7F5169E905FD2C1273FFF91A654BCB6D481F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022505Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:16.487{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F4154BAC28ED9DE7D03C9AF87AEE3F3,SHA256=B99166D3595685754F3A4A34F430D956B026A114D35FB1642E5745E8275037CD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022504Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:13.777{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61885-false10.0.1.12-8000- 23542300x80000000000000006922Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:17.653{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=026FF4FCF7C035C3591FCEF6B0A94DD3,SHA256=46E5E55AD79F0A25662C94C11BE9E7C97D04F86F79BD53906673CABDD03064B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022508Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:17.492{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5C1D03354B26B06D644485293A2BDD8,SHA256=9E12B57AA445A8DDE671E404A4CF538DDF14E28421D12145931E5CC379EA317B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022507Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:17.305{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=827C5893E27DA0BFAFE50A77C7C9BADF,SHA256=71087A092C8F7799755DC82AF23481711F5B9F5C342B4D680DD171F59AB7F2D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022506Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:17.305{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=314EED7D75DD0651B2DE74D719C8B562,SHA256=57878D73DACFDFFA86BFAD4332715F0A9D421C3E867063C0A98094543AD62B59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022511Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:18.508{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E945E00925073B3EE253B1E09E9D08E,SHA256=DA5F779253BDB0338F3950DA218EE5B818FF94853A9214E9538D9C2287529049,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006923Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:18.653{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9E46D8BE76FBA637B12ADAA5B9FAB23,SHA256=302880F967D9DC90EE57786ECEDDC506AF3458ED9DFDA1A8E5BA4888CEE950D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022510Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:15.893{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local61886-true0:0:0:0:0:0:0:1win-dc-676.attackrange.local389ldap 354300x800000000000000022509Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:15.893{6EDEAD03-FC2A-615B-2900-00000000FB01}2912C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local61886-true0:0:0:0:0:0:0:1win-dc-676.attackrange.local389ldap 23542300x800000000000000022512Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:19.523{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F282E4CEC8376305112DDCBF37297E6,SHA256=84FC3EB154C2D408F904C57AAF49D791AA555695AAC35A211DD77D36492D083C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006924Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:19.669{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3670B2157CA28E3CAA934FF697F3320A,SHA256=6BB1F333E6543415D4A2A03F5928AE3F67334128C09B98D7890FF88C11A8C48D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006926Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:20.669{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18886B17439DF3F430DCEAF9BCE26467,SHA256=515079BA91DA38EEE0814F831FF248AE2969DC57238E0DE1601100A382D44789,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022513Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:20.539{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14FC6C834E160D6A839AC6A0861F9A22,SHA256=EC0D73E1CA8D1E6F0A9597B5271B7CCABD5092737E82881B0B4ABB6741EE251F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000006925Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:18.199{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49852-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000006927Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:21.669{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09119722B9A0E2C31030EE9D92776283,SHA256=1ABB72581DB9C053D9BB477C0F8348B78599928A9327DEA0D4AE38477A5D74FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022522Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:21.539{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9125BF837BDB6FDE864E102A295D5F8E,SHA256=2F1AE5A9014C257093D07562DAF73B4B7CF86C84FD163B4127B74C99D95F2ECB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022521Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:21.070{6EDEAD03-011D-615C-0305-00000000FB01}57405284C:\Windows\system32\conhost.exe{6EDEAD03-0129-615C-0405-00000000FB01}6880C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022520Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:21.070{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022519Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:21.070{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022518Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:21.070{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022517Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:21.070{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022516Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:21.070{6EDEAD03-FF5F-615B-E202-00000000FB01}9723852C:\Windows\system32\csrss.exe{6EDEAD03-0129-615C-0405-00000000FB01}6880C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022515Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:21.070{6EDEAD03-011D-615C-0205-00000000FB01}54284716C:\Windows\system32\cmd.exe{6EDEAD03-0129-615C-0405-00000000FB01}6880C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000022514Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:21.081{6EDEAD03-0129-615C-0405-00000000FB01}6880C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg query HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigestC:\Users\Administrator\ATTACKRANGE\Administrator{6EDEAD03-FF61-615B-7756-1D0000000000}0x1d56772HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{6EDEAD03-011D-615C-0205-00000000FB01}5428C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 23542300x80000000000000006928Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:22.669{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34479FC2B3206C66B178FE27FE79F16F,SHA256=FFB40D01DF97FAAD5B6FED53D1D7CF50D751A29619B04D87201DC280847C242F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022525Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:22.539{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A31564490F1BC086B369954E0B3D54C5,SHA256=09F4F2A13FAEA4505CDD5490181DE9B9A9D8519AD5E7F2DA25A05B9D52DE1731,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022524Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:19.741{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61887-false10.0.1.12-8000- 23542300x800000000000000022523Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:22.102{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=827C5893E27DA0BFAFE50A77C7C9BADF,SHA256=71087A092C8F7799755DC82AF23481711F5B9F5C342B4D680DD171F59AB7F2D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006929Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:23.684{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F61B9E987891255FAAA3B81B7A63101E,SHA256=100DBDED98BF57CA4763DE00C8DE332565B8F9E6CDF077D1917541E6D5113FAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022526Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:23.570{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09C6E9648B64601968C6D6A22E291A08,SHA256=17581E20C520110C81626DBD35E2C2C36BCA4EF58091FCB35A61701A22858CB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006930Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:24.700{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23E8C5C9662E0214322E8EFC3AC625D4,SHA256=2C362E22AB4EC54A20A74AD1E88D1DA14FF313F97C67F628DA61EA96F4DFB408,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022527Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:24.586{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E987B23E16EA319C72E4198DC6128E2,SHA256=FAA649598DDCA28A550F111AC7BBF08D9BBD2EECFF8BF7D23E031B36A756E545,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006931Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:25.700{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2917358F705826AF5629E19F2E2AAA67,SHA256=2E3740AB571C0EF9F310FEBFBA6F8663BF6E17E601C6B4D6C9EE6A66164AFD75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022528Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:25.586{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57D3BD5D0C9C7E61D82185F75D6E37E6,SHA256=1612A7E7D440F5AF0FA2E167521D96B86015E8472923CD12DC759C4AE05786D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006933Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:26.700{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FF7409C578AA2D724D297BFC50E2254,SHA256=DF0E44AA02F7D03433F7109B8FDD76F2EB195CEC5CD14F91F50F47A31EF8FFAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022529Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:26.602{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=915D8CAC584291C2867E195ABDB3220A,SHA256=A0F4141B8B1778E836A5DEC37F2BD44E16B163FB533432AC9668EFEACBBEC12E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000006932Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:24.246{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49853-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000006934Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:27.700{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F285D47C19CDC551820EB033B5CE2F00,SHA256=DCEF38880ECAB3962221004830541F48635B37DD24630FD597DC60D8CB4A20F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022531Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:27.680{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E6D120B59035CB6288B36BC1A468D43,SHA256=26ECFAA6611813C1AAC1FC13E20BDC553B9694F2C793DA4A14E1003B86B94018,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022530Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:25.726{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61888-false10.0.1.12-8000- 23542300x80000000000000006935Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:28.716{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E14553BE3542DB0550858DC45D6D6E4,SHA256=6DC2E0FDBF78AFF1EF5154D743D64A1E6B1DED1C80297D4082B9F72AEC3BCF0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022532Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:28.774{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCE638691EE4CE3F0D3696AA7C5C1AEA,SHA256=B0509312A829D88A3EC778B8A7B7E723259735C268A237B8D6AC803B7BAC1A57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022533Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:29.789{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EF6F1A1D59FDF0396DD84C6767BDDFF,SHA256=86A16B864627330040E954E1760DC5C68EEB40BA21DE5CBBE9F34E39BABB17D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006936Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:29.731{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=409DAA765F7DE65DC4714A87CA022476,SHA256=5EB8CBEC01E4F978B7D1235D9B12A83EE274C369A765C001E1DC7AA53EF33C20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006937Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:30.731{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44E72E234603DC78185B8442CA30CC92,SHA256=59B6EA3010204AC82D218EF25E79E825160762630738711A95A9B07D660CC5BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022534Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:30.790{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C342DB493310EAB21B5F49EA09DC4BF,SHA256=512FD1A5E37E3A13CA84EFB55BEFC33BC9F40E204A9FFD99F085F19AEFB99F73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006939Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:31.747{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C21FD59749A7C497F457898128B24AD5,SHA256=7CAD5D09195505EF490134F3C4850F91780089D11A01BFEAC4AD9D71EB91E6DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022535Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:31.806{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05D97E52D2F6012D5FAE41EAE436EC64,SHA256=9EB2C90C29805DE1AF712D9D8149EE5E081E62751B7AE1EE9E02ABC1166CB966,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000006938Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:30.293{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49854-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000006941Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:32.762{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=922C98D5A4C4A58E3F303AD19AF601B2,SHA256=D041E6E806104EA4427A9DC5BA5C7E2D98777C399E818BCA8DAD6E6CD6C554E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022536Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:32.821{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE332043C0984B322E3487FCF285D7C0,SHA256=FE23F2C7285DA41FC76150549DFACEACB756A6F7585B6936A13131BA831EB6CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006940Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:32.137{49C67628-FDEB-615B-1100-00000000FC01}964NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=9395EC316069F09B7D7D2D560A1DF1AB,SHA256=A5F1BF525ED970BF8CF54837009A7F7CD1510DD4812378716C546655467BF927,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022538Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:33.836{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA4911A80A14E705FF9AC7E8647C777C,SHA256=75B3221E1D91E2D6A3B2777071E6B5EE86843AC88F105317355A46F74507FA34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006942Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:33.778{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1708F7E19058145B34C565010BC25C34,SHA256=71883625CA36B5B0F14B0FB440D8D24D2887163278EE8E0176BD36B3FE8B1C11,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022537Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:31.725{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61889-false10.0.1.12-8000- 10341000x80000000000000006946Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:34.965{49C67628-FDEB-615B-0D00-00000000FC01}7762624C:\Windows\system32\svchost.exe{49C67628-FDEB-615B-0C00-00000000FC01}728C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006945Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:34.965{49C67628-FDEB-615B-0D00-00000000FC01}776936C:\Windows\system32\svchost.exe{49C67628-FDEB-615B-1000-00000000FC01}924C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006944Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:34.965{49C67628-FDEB-615B-0D00-00000000FC01}7762624C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-1500-00000000FC01}104C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000006943Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:34.778{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD497810AC3D709E29E9ACBD31761340,SHA256=D890D6A3B25A4C0E4880D1262B196BE891287D49892C89FB3EED449AAD9782FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006947Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:35.778{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B516653E05B35A72B59156E72190216F,SHA256=42457B88C8239DB451644B55E7F81352FA0FFFA9933980E0AC9DBDF84CFBA74A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022540Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:35.793{6EDEAD03-FC2A-615B-3000-00000000FB01}2280NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00ade5b11017bd16f\channels\health\respondent-20211005071805-020MD5=AA6F78CCC35FD74424B933C975A9F779,SHA256=482DFC86E7C4A11E76E3E352EB64B396C84C083D9F57F37823883232EC55A225,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022539Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:35.070{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FE7A0D4C8FB77FBDBD0F5CEC1A49969,SHA256=265A6D948AC14B4BE720E6650BA3AA60328ECB0A3980DE42DE2F800AA933784A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006948Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:36.778{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53465D6F9EF635D7550D578E8D3040AB,SHA256=4CCB38AD4D2F3B8FD5FA6A157A901144C7A7A012EB2C1104C10104E2FC3172F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022542Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:36.807{6EDEAD03-FC2A-615B-3000-00000000FB01}2280NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00ade5b11017bd16f\channels\health\surveyor-20211005071802-021MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022541Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:36.165{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=976CD03C585D8B886DA8C271C4E3D92D,SHA256=4FBD099B5D4753E54B0E5FA0823168D51FEC5493C1D9D822929A0070C1532FD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022543Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:37.179{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75E4435150A7AFF9F424FD9A62716EEA,SHA256=E13810D764043E782C1499FA746BC20A799D71BE681EB81AB0322FF2F3275B04,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000006949Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:36.184{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49855-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000006950Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:38.017{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D7D7D72D505633AE280F85B030BEEB8,SHA256=A7C43DADE75D5F90A565DD76E8AD1F706265359F22B397B76F2E3DC306C24BD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022545Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:38.671{6EDEAD03-FCBF-615B-AF00-00000000FB01}416NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=77A3FAE6E3D081057742F67BE17D48F0,SHA256=B45196262D41012541FDA928C2D6D89C531ACA10A8054FE8E2047913CDE27561,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022544Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:38.187{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E017C0A75B8D6D9C5AC61363F569CA30,SHA256=586E924CC2015EAF0308721D8C54944B6062BD1AFF005806AB86C50AE6BEB66F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006951Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:39.064{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F7BF458ED54A2560E5A2A0A2CEC03F8,SHA256=2BA4BCBA0E164EAB1006AA55CAB081618AB3D7DEFE24A4E977D9C650C96BD25D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022546Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:39.218{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADE720F13072E203B071B54B0338A6DB,SHA256=EDDE30DC79C7ABEEA5C55013AF843A305A0836FBD57785CC32D3CB14750DDC70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006952Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:40.298{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BE21B90C25916BC2699F4A07896A2C7,SHA256=B4BDFD86691FFDF10C5EBA6B79EB131F8B2735ACABAD76ED6A31D68B73460CBF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022557Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:38.264{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61891-false10.0.1.12-8089- 354300x800000000000000022556Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:37.732{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61890-false10.0.1.12-8000- 23542300x800000000000000022555Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:40.437{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=678CBB14B33EAE9E8A7DCE356E0B35B0,SHA256=91333C0AE9888540F64AF63EA457C013F9F78DA568B2884C785FA3C754D69C0C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022554Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:40.343{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-013C-615C-0505-00000000FB01}2868C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022553Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:40.343{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022552Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:40.343{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022551Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:40.343{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022550Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:40.343{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022549Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:40.343{6EDEAD03-FC1A-615B-0500-00000000FB01}412528C:\Windows\system32\csrss.exe{6EDEAD03-013C-615C-0505-00000000FB01}2868C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022548Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:40.343{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-013C-615C-0505-00000000FB01}2868C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000022547Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:40.344{6EDEAD03-013C-615C-0505-00000000FB01}2868C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000006953Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:41.517{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E33EB07A53526C390D646655E1CB4EB,SHA256=409EE7073A32E8A974F8D3D9D294F9F35CF726E2F1838C00F9822FE374213325,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022577Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:41.593{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-013D-615C-0705-00000000FB01}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022576Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:41.593{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022575Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:41.593{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022574Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:41.593{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022573Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:41.593{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022572Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:41.593{6EDEAD03-FC1A-615B-0500-00000000FB01}4122304C:\Windows\system32\csrss.exe{6EDEAD03-013D-615C-0705-00000000FB01}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022571Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:41.593{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-013D-615C-0705-00000000FB01}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000022570Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:41.594{6EDEAD03-013D-615C-0705-00000000FB01}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022569Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:41.577{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C8E87E919BD544EFAAB6D9105477F134,SHA256=FA87EF2E6AD01BBBB1EDDFC2F384F8B0AF15B60762614C54E9B8CFBD890A7B2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022568Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:41.577{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0BE7FCC4B0870540BE0AB5C56D0C37D7,SHA256=6D489ECCCFC55D8EC77254ECC37A0650FAFCD973B4191DD0065E340914037C08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022567Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:41.452{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E849EC478FE290A5491AFC64AF6429C,SHA256=4044ADF96D9374C69A2196860DC722CB9308AF83E587A1CAFEF5E2E4C4B924B7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022566Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:41.187{6EDEAD03-013D-615C-0605-00000000FB01}60766992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022565Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:41.015{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-013D-615C-0605-00000000FB01}6076C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022564Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:41.015{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022563Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:41.015{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022562Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:41.015{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022561Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:41.015{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022560Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:41.015{6EDEAD03-FC1A-615B-0500-00000000FB01}4122304C:\Windows\system32\csrss.exe{6EDEAD03-013D-615C-0605-00000000FB01}6076C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022559Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:41.015{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-013D-615C-0605-00000000FB01}6076C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000022558Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:41.015{6EDEAD03-013D-615C-0605-00000000FB01}6076C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000006955Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:42.970{49C67628-FE68-615B-9F00-00000000FC01}1772NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=77A3FAE6E3D081057742F67BE17D48F0,SHA256=B45196262D41012541FDA928C2D6D89C531ACA10A8054FE8E2047913CDE27561,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006954Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:42.673{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96630CE29D3377FA8F76BF50B954F210,SHA256=5E4219788814A36D95968F4844DA9342892F5D41C763DDB4C3EC9F8925F03604,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022588Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:42.702{6EDEAD03-013E-615C-0805-00000000FB01}18881892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000022587Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:42.624{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C8E87E919BD544EFAAB6D9105477F134,SHA256=FA87EF2E6AD01BBBB1EDDFC2F384F8B0AF15B60762614C54E9B8CFBD890A7B2A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022586Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:42.546{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-013E-615C-0805-00000000FB01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022585Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:42.546{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022584Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:42.546{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022583Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:42.546{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022582Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:42.546{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022581Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:42.546{6EDEAD03-FC1A-615B-0500-00000000FB01}4122304C:\Windows\system32\csrss.exe{6EDEAD03-013E-615C-0805-00000000FB01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022580Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:42.546{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-013E-615C-0805-00000000FB01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000022579Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:42.547{6EDEAD03-013E-615C-0805-00000000FB01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022578Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:42.468{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3F690E25F9174FD4976B8FF6163AED5,SHA256=87873A77577D434390EB2AEB296CE04A74E10D023F09ADFB3F046C89AE2943A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000006956Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:43.798{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B2A7D3485D38D79C3172D5B0707DA51,SHA256=F597FCF72F285B7B7790273E1B51A7AAC77658DC4B0DA42F19BE77758C8A7DDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022598Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:43.530{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=968F531FACC507BC35A63CEA8E846B35,SHA256=AB11CEE19029F222ABB227EAA7AC65BD5365FA64DC5BA21AD88B2CBF857F6706,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022597Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:43.405{6EDEAD03-013F-615C-0905-00000000FB01}69683596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022596Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:43.218{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-013F-615C-0905-00000000FB01}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022595Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:43.218{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022594Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:43.218{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022593Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:43.218{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022592Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:43.218{6EDEAD03-FC1A-615B-0500-00000000FB01}412428C:\Windows\system32\csrss.exe{6EDEAD03-013F-615C-0905-00000000FB01}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022591Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:43.218{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022590Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:43.218{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-013F-615C-0905-00000000FB01}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000022589Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:43.219{6EDEAD03-013F-615C-0905-00000000FB01}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000006971Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:44.892{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-0140-615C-3901-00000000FC01}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006970Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:44.892{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006969Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:44.892{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006968Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:44.892{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006967Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:44.892{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006966Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:44.892{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006965Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:44.892{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006964Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:44.892{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006963Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:44.892{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006962Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:44.892{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006961Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:44.892{49C67628-FDEB-615B-0500-00000000FC01}416532C:\Windows\system32\csrss.exe{49C67628-0140-615C-3901-00000000FC01}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000006960Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:44.892{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-0140-615C-3901-00000000FC01}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000006959Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:44.893{49C67628-0140-615C-3901-00000000FC01}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000006958Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:44.830{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3185ED9625CBAB8470B61F672244C9DC,SHA256=79E990A422A4978FAAF19B7EF64C00133BFC7EA525EC61F468F9116FB4E44149,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022617Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:44.593{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-0140-615C-0B05-00000000FB01}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022616Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:44.593{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022615Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:44.593{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022614Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:44.593{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022613Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:44.593{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022612Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:44.593{6EDEAD03-FC1A-615B-0500-00000000FB01}412528C:\Windows\system32\csrss.exe{6EDEAD03-0140-615C-0B05-00000000FB01}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022611Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:44.593{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-0140-615C-0B05-00000000FB01}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000022610Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:44.594{6EDEAD03-0140-615C-0B05-00000000FB01}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022609Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:44.546{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2ADD98B05BFD0AD95EEAE6D0BF49C4E,SHA256=8DAEDDDEE2796A5A8F030DBA59BD8AF327508D43BC1E29A2DF2DDE46AA65309E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000006957Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:42.204{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49856-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000022608Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:44.280{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=18355E03210162A721E48068C4D3DA13,SHA256=D6AF39B67D46766AFA0AAB6235A26102A6BC3B2D3F9FF9DF1E40CE0705B26010,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022607Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:44.218{6EDEAD03-0140-615C-0A05-00000000FB01}35886840C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022606Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:44.062{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-0140-615C-0A05-00000000FB01}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022605Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:44.062{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022604Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:44.062{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022603Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:44.062{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022602Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:44.062{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022601Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:44.062{6EDEAD03-FC1A-615B-0500-00000000FB01}412528C:\Windows\system32\csrss.exe{6EDEAD03-0140-615C-0A05-00000000FB01}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022600Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:44.062{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-0140-615C-0A05-00000000FB01}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000022599Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:44.062{6EDEAD03-0140-615C-0A05-00000000FB01}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022619Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:45.733{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9179CF117B8EB9BAC779B1EC63539FB1,SHA256=5D0DEFC1FB448627C55B368AEF934C500823F8F26166E902F9EC016A89A6C237,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022618Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:45.671{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=791A172CA39CE056D6F421D64E81C701,SHA256=3F9AF19040DDC6266ACFA50283AAFB01EB760BAB607125B28B990926A958F295,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000006986Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:42.986{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49857-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 10341000x80000000000000006985Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:45.548{49C67628-0141-615C-3A01-00000000FC01}40242716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006984Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:45.392{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-0141-615C-3A01-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006983Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:45.392{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006982Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:45.392{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006981Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:45.392{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006980Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:45.392{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006979Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:45.392{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006978Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:45.392{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006977Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:45.392{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006976Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:45.392{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006975Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:45.392{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006974Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:45.392{49C67628-FDEB-615B-0500-00000000FC01}416432C:\Windows\system32\csrss.exe{49C67628-0141-615C-3A01-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000006973Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:45.392{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-0141-615C-3A01-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000006972Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:45.393{49C67628-0141-615C-3A01-00000000FC01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022621Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:46.749{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5B8E2C2EA927DB3A772FB034AB58C6C,SHA256=8DC0CDA518ADF3E14D4BE9DEE3A9A6C7CB372C456E7F55E065E870DF24B83328,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007002Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:46.236{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=052570D7F8447143679AC17554DE4313,SHA256=8D551BBA650BB2B240B213CB7C49EF45E27B8CE0AAB9C65F84030EFC57DD571B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007001Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:46.236{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4572EF2CAAC0CEA57CE117B81FBDF78,SHA256=42BBA2A649C966785CADAB6653280C71FBF95B4190C3E78AEB8B0A56E6DD39CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007000Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:46.236{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9AC747C96AD6C17D6DE33366362A5110,SHA256=1871E5E3E8A4FF720C7C40ADE3895C1FDE003953A275FECAC68B1A179F932939,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000006999Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:46.064{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-0142-615C-3B01-00000000FC01}436C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006998Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:46.064{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006997Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:46.064{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006996Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:46.064{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006995Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:46.064{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006994Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:46.064{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006993Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:46.064{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006992Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:46.064{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006991Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:46.064{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006990Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:46.064{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006989Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:46.064{49C67628-FDEB-615B-0500-00000000FC01}4161032C:\Windows\system32\csrss.exe{49C67628-0142-615C-3B01-00000000FC01}436C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000006988Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:46.064{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-0142-615C-3B01-00000000FC01}436C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000006987Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:46.065{49C67628-0142-615C-3B01-00000000FC01}436C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000022620Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:43.686{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61892-false10.0.1.12-8000- 23542300x800000000000000022622Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:47.765{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32D9A19F53E63ABCB2B98A7EAEB78487,SHA256=004AF6E9C7640EED633CC65E8A8D9C6A2184067CB14AF7437566B6F86156152D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007018Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:47.345{49C67628-0143-615C-3C01-00000000FC01}30443996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007017Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:47.173{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-0143-615C-3C01-00000000FC01}3044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007016Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:47.173{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007015Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:47.173{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007014Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:47.173{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007013Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:47.173{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007012Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:47.173{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007011Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:47.173{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007010Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:47.173{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007009Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:47.173{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007008Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:47.173{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007007Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:47.173{49C67628-FDEB-615B-0500-00000000FC01}416432C:\Windows\system32\csrss.exe{49C67628-0143-615C-3C01-00000000FC01}3044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007006Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:47.173{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-0143-615C-3C01-00000000FC01}3044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007005Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:47.174{49C67628-0143-615C-3C01-00000000FC01}3044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007004Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:47.095{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB8E5D278D9666EDDC66FBDA40789FB8,SHA256=E0435DA70CB05634E09CE220561B08B02F32F1643D0C74ECBB61E6E64A0B4334,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007003Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:47.080{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=052570D7F8447143679AC17554DE4313,SHA256=8D551BBA650BB2B240B213CB7C49EF45E27B8CE0AAB9C65F84030EFC57DD571B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022623Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:48.780{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7203DDCCDF790C2B47F3D4A867F7069E,SHA256=7BFF68003231B9B38780E4B901E04A21F2D1E8704FEBB0A4BD57A65653E9F4F2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007047Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:48.939{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-0144-615C-3E01-00000000FC01}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007046Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:48.939{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007045Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:48.939{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007044Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:48.939{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007043Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:48.939{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007042Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:48.939{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007041Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:48.939{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007040Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:48.939{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007039Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:48.939{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007038Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:48.939{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007037Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:48.939{49C67628-FDEB-615B-0500-00000000FC01}416432C:\Windows\system32\csrss.exe{49C67628-0144-615C-3E01-00000000FC01}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007036Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:48.939{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-0144-615C-3E01-00000000FC01}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007035Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:48.940{49C67628-0144-615C-3E01-00000000FC01}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000007034Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:48.439{49C67628-0144-615C-3D01-00000000FC01}21083428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007033Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:48.267{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-0144-615C-3D01-00000000FC01}2108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007032Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:48.267{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007031Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:48.267{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007030Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:48.267{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007029Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:48.267{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007028Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:48.267{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007027Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:48.267{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007026Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:48.267{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007025Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:48.267{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007024Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:48.267{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007023Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:48.267{49C67628-FDEB-615B-0500-00000000FC01}4161032C:\Windows\system32\csrss.exe{49C67628-0144-615C-3D01-00000000FC01}2108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007022Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:48.267{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-0144-615C-3D01-00000000FC01}2108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007021Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:48.268{49C67628-0144-615C-3D01-00000000FC01}2108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007020Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:48.205{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CE6A8ECC8914721C5D75B37199B5CBFF,SHA256=374C052468BA0F41D18D775A0AB4CF14C4D1A691606F7352F5079EF561B8BFCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007019Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:48.095{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9A4726CE36C7BD339E0ECDE992500AE,SHA256=4A1568293A8BEA4A0794BC0D46780C399525334975D1FDC321EF124BFBCF9839,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022626Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:47.986{6EDEAD03-FC18-615B-0100-00000000FB01}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.14win-dc-676.attackrange.local138netbios-dgm 354300x800000000000000022625Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:47.986{6EDEAD03-FC18-615B-0100-00000000FB01}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-676.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 23542300x800000000000000022624Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:49.827{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7D6C744BD10A8F74F71BE216165C8DD,SHA256=710BA1F91BEE1EFC931ED30D5255A69489177E92DA26D84E6C287ED368B0433A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007064Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:48.158{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49858-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000007063Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:49.767{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-0145-615C-3F01-00000000FC01}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007062Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:49.767{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007061Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:49.767{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007060Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:49.767{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007059Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:49.767{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007058Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:49.767{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007057Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:49.767{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007056Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:49.767{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007055Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:49.767{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007054Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:49.767{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007053Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:49.767{49C67628-FDEB-615B-0500-00000000FC01}4161032C:\Windows\system32\csrss.exe{49C67628-0145-615C-3F01-00000000FC01}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007052Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:49.767{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-0145-615C-3F01-00000000FC01}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007051Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:49.768{49C67628-0145-615C-3F01-00000000FC01}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007050Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:49.267{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A6E5A89F4C3BEDA62CE637F5046434E,SHA256=0AAC5B26FC4B46EC24345B1934628D5CEF0885B0467DC2C9C6C5578F8A9FF915,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007049Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:49.189{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F358A506D7B2FC2AA4FBBF317BF60BD0,SHA256=ABDB4A193CC7B18BEAB937D00DD309B592873C237555D575AF511F7EA576487C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007048Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:49.142{49C67628-0144-615C-3E01-00000000FC01}24763188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000022628Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:50.827{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C52BF8D29098C871F0B9EAEF46139D9,SHA256=FF2D83B3BB635EE434E2DBDFB43774811608A35BC66413B80E95588F3388D44C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007066Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:50.798{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A034E52407E6350A2B1FB467200CA545,SHA256=9650B32A8C25613FA4609ABE3E2F7FA2D7DD8E5884353B89286BFA39ECEB787A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007065Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:50.283{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25C61CD47D978A0A2A9E0477E843AF8A,SHA256=3DB20CFB9288860B77716036F5D3BADB86AB614A604AF325C4A32135E45E9C76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022627Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:50.374{6EDEAD03-FC1D-615B-1200-00000000FB01}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=4B3B41C74C6DB9269A1174693CCA70CF,SHA256=C5F397E98A832C52D979AABAF5BFFEDE00BEA03952068DD60631002B13F24DB4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022630Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:48.857{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61893-false10.0.1.12-8000- 23542300x800000000000000022629Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:51.843{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE9E40589907E17C66F6068E118D6C1F,SHA256=3D89C6CDD9E59A193E6077058AF43B482B5E3FE01DF853F168415ACF1B58DC3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007067Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:51.517{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E06E651F7213AD0384D5BE81F9FAC46E,SHA256=F51C1A019B616C6DCDA6E45482518F511B713F717F7C890A0B96CE8B1F1C8632,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022631Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:52.859{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19B42DDA4C9F4BE7E627D1C0961B4D43,SHA256=95BA17837C6642D13098EA06878D651E8C436F54E78CCEF5DF724A93B16675F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007068Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:52.752{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D1CDD92CF374F7305EE947E708E29EB,SHA256=9518D98EAD358AEF275BCE6413CADEEC0DD825A95FE85CE16077F3D316FB4DC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007069Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:53.767{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0FCE20DF2AC30D26852FEFE74B484E1,SHA256=312063D9018FFB6E08D8574F1291E75822D02920785CBBEF4007030F3BE4CE53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022632Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:53.874{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DB72A050F2299C1E36676BBAE78732C,SHA256=45BD0C349E09F43A4C822036AF58DEAAB5D325F51083C01D7E436C08875458AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007071Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:54.896{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BE03B9D558BBCA21F3565A2638AEB61,SHA256=19929FDC83BCF319A3843C408ADC242252BA6F3D10CCBF5F6226C213C8AFFA5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022633Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:54.890{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CCAC170F1D427B0C7D0740CE224A0DD,SHA256=5B1DC07CD31F0AD725DEC643FBE4622BDA2AC608F8EC73CD02796C7AD61A77D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007070Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:54.520{49C67628-FDEC-615B-1F00-00000000FC01}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04b3958ebc31dc11b\channels\health\respondent-20211005072534-013MD5=9DBD3CF651CAD1963D7DD9E70795396E,SHA256=D00FE5240C0E39CC33FD8ADFFDA13197E8833401D0A3D05F731F6A79B8E00229,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007074Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:55.910{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFA8572BD980642377553A27A7D2A295,SHA256=D6328B2B2B3346D6B48618F5C162B4E5862EEF179554F6234E9BBDFE3AF004B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022634Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:55.937{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1475876086F0707B0E6E2119ADAC7BC2,SHA256=72C08A0CEE94AA15BF043BDD511859C1B13D8021C08AC468641272CED805A4D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007073Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:53.189{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49859-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000007072Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:55.523{49C67628-FDEC-615B-1F00-00000000FC01}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04b3958ebc31dc11b\channels\health\surveyor-20211005072532-014MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007075Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:56.912{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8DC60F57758779880D6B41B32E41900,SHA256=E29BF662F04AB9BF455877AA36B8832C6CF66DC327F51C7D90A9C266C5BC567B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022635Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:56.343{6EDEAD03-FC1D-615B-0D00-00000000FB01}9084776C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-EF02-00000000FB01}4920C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007076Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:57.921{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB66FCBD42379A62300DF1D7AC041AD7,SHA256=89E87B96D4E5AB9ACDB036608B85BCC3C3BEBFD737598A34248303DEE41E2665,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000022640Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:39:57.745{6EDEAD03-FC1D-615B-1100-00000000FB01}480C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b9bc-0x322bf919) 354300x800000000000000022639Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:55.298{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local58495- 354300x800000000000000022638Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:55.297{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local57090- 354300x800000000000000022637Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:54.623{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61894-false10.0.1.12-8000- 23542300x800000000000000022636Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:57.015{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A1ACC4018658E43DD9992BF9B739D48,SHA256=BA5B8A72F4E6F12A3C1598A0DFF46666D5923E337ABE416A4EC8CC3279CE5E1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007077Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:58.921{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CD2EB66B0C07CBF90064CC1DB76C64B,SHA256=174ED7A92FA6A02AF490BADE6D9EACDB37C3712421B0D4A3FC988FED2ED24F8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022641Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:58.198{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6E47424C346B61583F1FAE3EE5672B8,SHA256=690C99CD80220D151E848880F559EE1F02ECEE92839F8AF7EED571182914C4D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007078Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:59.921{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=920086EB15A676B4C9484C00B9C5DA96,SHA256=AE008174290AEEDF8E17E9EB02EA066A7762BCE265E883F918CE1E3FB988B481,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022642Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:59.354{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33A849702C64A4EB1E23B189B78867FA,SHA256=4D776F29610BA3010C26FC91EBC532B0F762D3EC6D0667E60F2961E120D19DE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007080Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:00.921{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=932CBF83269ABB215ED44E31973EBA75,SHA256=F30B893E8E2F77619A1921164AF143F71D13EEBB151CB80D6099BD75E9A8C65D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022643Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:00.448{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0217BADC3C1537E838616710BD3F1A1,SHA256=56A9C6F126073ED9230507187E06B58E8A3F1A9E89B2CEE1D6223613997AD71B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007079Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:39:59.061{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49860-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000007081Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:01.921{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1067571EA396F68EFFB1200484A770F,SHA256=EC8B6B47181503CDCA0E82B352DBE6E847757508334820F8F4F51781441A1C15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022644Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:01.448{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DA179EE1939B74F76793250A796B23C,SHA256=A6CFCC8303EBF681FAA0FD0889BB8BC9A8401B7A2DB8986F3D0C8141358F5B87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007082Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:02.921{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF6A18A1957F1958140AB537CA661984,SHA256=121812E439D13186FECD218D34019C9D5752F1CEE6D3BBDBB99DDBC26570E3EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022646Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:02.479{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9928EF56A56495D2545B7E18B960763C,SHA256=ED8F214274D076EB5896940DF9D453B900019AF8D11921BABDAA810789EF7FE8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022645Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:39:59.634{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61895-false10.0.1.12-8000- 23542300x80000000000000007083Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:03.921{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00E79206DCE0FC43CC460D3E2E6466CB,SHA256=032F788FB4B35B47A6542E4D48627B81C880389D4313D10EDE34E7583F749259,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022647Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:03.495{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82ED1ADB89102195E06DECE7E357B1F2,SHA256=A83FD609E1D0DE68F7143B457E9A5E80AC975DEEC4D3C550519912C01AA71557,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007084Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:04.921{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5015D9528746C42C2A1761BDFC35670F,SHA256=F51FA0A873F4FFE1644827D2FE0C4975FC4183952BFADC33CF24DB52A28985CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022648Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:04.526{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23ABD08AE243F887E8A6DB714C1E9FD6,SHA256=075B8C84E355AAE96352E00C0B2440E0A7BF3A1CB4FFB7851B5AE0E3C3966C4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007085Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:05.921{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D03571588540D285712F943077BB512,SHA256=2819617119069E2962BA746BD82818BA73CA9B1F8EC2DA80A7BF2FAAA240222E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022649Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:05.557{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C1DE8E36203389A360330860FFC81B6,SHA256=9FD7BD79100207BD8B6DB59AA7DAB6DC29334C1E8BACE2B66F9AA358A01F4436,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007087Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:06.921{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EF5ED858DFC5EA9E12B17024607679B,SHA256=DEE87346C15A7A83D97F4F72C386FC998DF3240C7DADD86482144214506CFEF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022650Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:06.588{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B004A9517163DC1ED72A89C200958828,SHA256=7BE62D511244F2467C799D6B30065C0C9175CDE23ECA9AAD3EC4AE4844E7576A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007086Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:04.202{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49861-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000007088Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:07.921{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC0DD7E2DDD15E5E8293ED5DA7FF90D6,SHA256=767679A0A97ABCCE4C381FDE864852353B47B84590AA84DCB989235EBD5EB9D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022652Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:07.588{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79FEE2D4AA93F0DB5D31E6529824C113,SHA256=AD57E8768071F077E0FDA6492B2623A5403975181CD65D53EDC970E4DA3DE25C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022651Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:04.743{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61896-false10.0.1.12-8000- 23542300x80000000000000007089Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:08.921{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=256FD93DAED9B7FF3E707242ED2B922F,SHA256=61091577D2437AF9BA54A6B52AA005D24D8F5B65E969FF17C4EBD1E5AC57BEFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022653Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:08.604{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=288709943A36D3D23A89B0D937ACCCD9,SHA256=277294733BA1E22B9A3F874B1CFC95E4F83306A27179FC099171F1E073E7D39B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007090Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:09.921{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B824429FCD9223763312F2C082EC0505,SHA256=83B6FB827961A91D42792F406DA64A735DEAE7100E40373152A959B8A3C72DCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022654Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:09.620{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E0E4133358EFCDA0790EEDA2F473A2C,SHA256=1F24E8F0831B32BA3C24869DA7AFF370A95C6351B5BE67E65AA9DC281A16818F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007091Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:10.936{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B869E9946F9F1D3FA171A91BC18CC0A8,SHA256=5576888020134072DF6A64839D54221962C65309740334E497F5C06DFE012347,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022655Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:10.635{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADD05DF4095F11BC2496984C3294C4CE,SHA256=06487E941BF42B375506886A17C89E8FA727C98A59248C719C2FE007616EBF03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007092Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:11.952{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44EAE758477BEE1AAD78CF9048082996,SHA256=7659E51F17B1E6592BB0A24430A6086E87FE9CA391AD3FE3F46B663C3CF9FAA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022656Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:11.635{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0B7291ABB5DE9345F6604582905C9EF,SHA256=72BB715A7138684FF6B3E28D189101B0E59AE02E140E2F80565A45BF676BB872,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007094Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:12.952{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50FDDECA8C58DA4C0F30E778F65C5B5C,SHA256=D22D03DC30CD6ED1F42F2402101DC025571C46F1E0CFC5B61004C4605A023665,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022657Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:12.651{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=795C0CE8C67160F2430D300CB59925DA,SHA256=8767AEAD0D2D384E25C1A1D57B6418F98873CA091B0F01FF17743760A35F4530,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007093Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:10.124{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49862-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000007095Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:13.968{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=032744DBA9CFADE2AB385530E01AE3CD,SHA256=3EFA5CFFB92B113F51272754CE0B75704BA43DC7738DE92746F8FF73CEDF4DEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022659Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:13.651{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=075567CEE2A926F5A67A47CB47372B57,SHA256=3E1DF9B56D735FB1F1C4BC648762933030CF1DB563B52654D762232780D8AA6C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022658Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:10.728{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61897-false10.0.1.12-8000- 23542300x80000000000000007096Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:14.968{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F07C4E9991BEF0E612B5F118CDEA00D,SHA256=AEAEE963D4D419A9AC7E358FD237C1E04A80031D534824C5115E7F3AEA57DA56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022660Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:14.651{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=604BC8CD672E78DE996CEA695DCCE558,SHA256=C8A3BBE89483D7DA148ACA0B7524FC12671B616E07C5AE8DA300C36486D82FC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007097Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:15.983{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=312EF6DD801E6AC3CF26C1C744A2B27E,SHA256=51363F48D37033989AD7E6989DD620CC6D8B59FF30FB50A4B6F1A9546FE46557,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022661Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:15.729{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19A0D36B676FDA70CF1299CE1CAD3C57,SHA256=B17E6B7EB0E76D627B91EAC599F91689577BDFC7A3127D546C3D5DB2795E24CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007098Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:16.983{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07FBFCE2455BAFEC4B5BCF72BFD3DEC1,SHA256=1D74F9FB53B2D8DE25DD8F29C2E7642A0B0CC11FC6FAB090FD5F83F38631C992,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022662Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:16.729{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=783B9556F3FBC1068484F22C782C02EE,SHA256=BF923A509C551E1A59EF331A224F6F7100F25D4892761003251BB79C90D81185,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007100Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:17.987{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AB47D6954C82FFF22E88D5EA690EF07,SHA256=73615BDFDDF1A7B9DCCA7EEFDCA907F77344249C6FD69DF3FD1A8F8F17D7E7D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022665Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:17.967{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDFAA8E62A9CC2561CB3D9BCFA15ACE2,SHA256=51AD96A9765DCA693D5C0D73159806DC66CF784171E8DB609112E61835BEA3ED,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007099Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:15.265{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49863-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000022664Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:17.292{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2298E7FEF38790D382D98E21E3E63869,SHA256=44EA053C67B09B9438A252BBD4255488A7BFFB4125479835D97F91D4438D6DAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022663Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:17.292{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C0255D630EB1BDEA7FBB74ECAF128825,SHA256=D2D99853520046E92245F020857EFD8596657569C437238687BA8D542ABA4517,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007101Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:18.987{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFF2F952C33B78B1BDEA8751711734B4,SHA256=63DDAC5AAB35533F9E324B91F5A9FDD633B9535A0D64E78A758593D18BA6CBA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022668Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:18.983{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9175A67F71180FC661A30DC8320981BA,SHA256=D690ABCBEA74E1D4940F5BDEF742B192127F6F68C1122094306AE46DA0CC66D5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022667Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:15.900{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local61898-true0:0:0:0:0:0:0:1win-dc-676.attackrange.local389ldap 354300x800000000000000022666Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:15.900{6EDEAD03-FC2A-615B-2900-00000000FB01}2912C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local61898-true0:0:0:0:0:0:0:1win-dc-676.attackrange.local389ldap 354300x800000000000000022669Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:16.712{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61899-false10.0.1.12-8000- 23542300x800000000000000022670Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:19.999{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F3ECFD99FABB98216088EF595A32313,SHA256=9EEE142AAED3DC1057A4E613852B4512AACFFFA70273468F5E07C08A1E1377BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007102Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:20.003{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A2E008F3CF08CCDA21FE929E203FA80,SHA256=F862367ED6844CA624D7499CA9F45E15AA82E0E3819AF554EBE14C66059A2895,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007103Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:21.003{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07232D7EC7529CDD25E3C4D9C237F63F,SHA256=6AA5D92DBAE722777F8F4D63A2EAB61EA1E318B797F29D9756C26CE40CEF1E42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022671Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:20.999{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C4C0D6FCDCD96629DAC2497536B71C6,SHA256=ABBCB44D7993CE095BC98108336960A37C3F2874E3ED549F550209347B3F8903,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007105Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:21.159{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49864-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000007104Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:22.018{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F4D51897D37EF86CC9837771CA90CE2,SHA256=2DBD86A902EEBE88B41171C1D2BF06BE9DF238641006C70ECB8F9542C23B1662,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022672Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:21.999{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9609E2867149634564A84EC667FA11E8,SHA256=24DA12935CC8C6E20FE7F314C8A37CB9C2A00D6C7BF38BD1AE11ECB8B250767B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007106Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:23.018{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DA01F34A4221181A1F970C6EF7FFC16,SHA256=E368C42122ED9DEC0F6B88DBFFD99518C9E405962EB60B3EF0E03F59D19E8CA2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022674Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:21.732{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61900-false10.0.1.12-8000- 23542300x800000000000000022673Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:22.999{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=419417269A1E82250031D2C23DAAF92A,SHA256=D07D27E849D7B741C1A78A3E85DF4E8023906DD5027457FCD5CD9F44EFF3A08C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007107Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:24.253{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E7A3542EE50F51FE925A75847594BCB,SHA256=5097BBBDE6E7D3CFA2C8EA5918954B8DBCB1B91036ADB60E7E74DE07751B032F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022675Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:23.999{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C53B7BFBD567C6DF39115F38D959418,SHA256=56425129511C89C4BD2E3D81201C49CA27ACE3764BD07D5F037691B5C401E128,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007108Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:25.347{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16F5E0F8AA30D8BD4D92F5AD880726AF,SHA256=A196A2F4DC86E4717FF35DC02CD14A789AC2ECA31EC44E55F0B60EA98CCF0ED4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022676Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:25.014{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA24F40C3E89D2DC539D22D295E149B6,SHA256=08765A5D6A836B048509F8BCBD08ABA1100FEB9E29733CF3E637ABA8448060C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007109Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:26.565{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B495C698F277A8819719AE47960BBE1F,SHA256=EE97F6667BF08C035FB3B67C1DCD54E5086847B9803053BFDEA01C8E4922F0EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022677Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:26.030{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D01D2A164EDBA09AD85FAAEBC67E24BB,SHA256=0DF6EA3EAF0D891F3A6A528F9AF18E197B6831CDF46BAC999C18C5E48171ADE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007110Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:27.800{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=082B123395CD6A81B43854A7A9E5D3AB,SHA256=94F49373A047F386BF5C2D09B9593CC477D5276E58F73CF15A03D9C50050003C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022678Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:27.030{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0615D574718E2A894F966C72CF1367B6,SHA256=0F2B6F104F8CEB8B85401EB850698557286785B3392E4640E5D696540A1D8CBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007111Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:28.800{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5348BC5D33428C5307BBE1AA9CC4121,SHA256=4B4BCEA0AC2B55DAE84A4322B3AB2E4C7010C76915536E4A758BBCF2F07C9CCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022679Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:28.030{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54ACD8C5CAAEE8778A6C3DB45F2EF791,SHA256=E0AC6D6A6ACC1BBD6EF88681EDD82F619752324A1E988AF649D7C9A2BBF12C63,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007112Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:27.175{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49865-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000022681Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:27.669{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61901-false10.0.1.12-8000- 23542300x800000000000000022680Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:29.046{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2FA189B023ED457B562C0F3949D2BAE,SHA256=5018C796F85DD3EDCAF903D2948044EFAEFD93BCD2D1ABA25036DA4B11CC6AA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007113Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:30.034{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4DC20737551EA51A3E9EC966EF7D1D3,SHA256=DC4F6821222D385F44865503EF77DC8E00A288DC45ADE07747BB6C384E7C8639,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022682Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:30.061{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=865FDEC4CB1287D9E5B0E0C5FB460F37,SHA256=8BC8C450D67F22F68C5DDA36BB16396138C5BE3C8FC2C50FECAE375C73CDA19B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007114Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:31.065{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=525B8C20864DB8CA989D16BF09BDEFA5,SHA256=B0A746C05F99570712C96E7222F08D4039525766E3B0915348FCD276B36ED268,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022683Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:31.077{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=882B91946F27F1307A6DEBE6EC022AA3,SHA256=5032729837F83189DB3EF56AC91739FA27892357BAAFDE212A5987E4CDA8FC63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022684Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:32.092{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5BA43B9414FCAD3F4DEDC98CEB51418,SHA256=A2C87CC580B262984C69BE694FAAD7B1A5634B187CD28E6C9289383FC48CA3C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007116Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:32.143{49C67628-FDEB-615B-1100-00000000FC01}964NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=E8B793175B06DC450B55C6AF5784597F,SHA256=13EDDC674ED6746B5436DC4DAEC3E0E03EBFCE1E9F290B0419147C9C6F455FC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007115Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:32.081{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53BCA27494F055762CFA25D176487A18,SHA256=91E928F9B50E07C816CDE9963089AACCAD682D70D1D39500A17B7BBCD385FABB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007118Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:32.238{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49866-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000007117Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:33.081{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04785A5ECB106BAF17FED5D542D3B3D3,SHA256=2F8C949C6997C009B09B6F8D75630353818AB2F2147CBDD3C7F66C28BE4BDF40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022685Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:33.108{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5476F448A792AA95BF44F31907CDAD95,SHA256=B436675F1F2CFA55D525C72E30FE981E410CD1BF2D2F416E36DD51B67E0A0D36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007119Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:34.081{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20920D98DCBC540E877972EF9EBB1C9E,SHA256=DF9AE9D9C14388F11A5183EB10AAF80B086AD8363D8141FB63F987CB6C03C06F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022687Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:32.841{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61902-false10.0.1.12-8000- 23542300x800000000000000022686Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:34.124{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33BB7B229F58E2CCA77FCF4AEC240CCC,SHA256=80B558A8CCA0DA22960A97CF9367B4E51F4394948F901FE764F2FB2BEE830D1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007120Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:35.094{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=909B0E79B2EA727EE837671425CEBA40,SHA256=E24A98D185283F1980BDBAA0B507E50E0CB21C75C0124645B615754B28C1F38F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022688Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:35.124{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F45BAA5D26903642EDE83CDCAA549487,SHA256=A41A0DB8D5D04DDC8A6664EF7E3CED0BBFCB30D65573C7C1DCAB84A27968C6A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007125Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:35.093{49C67628-FDEE-615B-3A00-00000000FC01}2836C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49870-false169.254.169.254instance-data.eu-central-1.compute.internal80http 354300x80000000000000007124Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:34.965{49C67628-FDEE-615B-3A00-00000000FC01}2836C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49869-false169.254.169.254instance-data.eu-central-1.compute.internal80http 354300x80000000000000007123Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:34.927{49C67628-FDEE-615B-3A00-00000000FC01}2836C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49868-false169.254.169.254instance-data.eu-central-1.compute.internal80http 354300x80000000000000007122Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:34.926{49C67628-FDEE-615B-3A00-00000000FC01}2836C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49867-false169.254.169.254instance-data.eu-central-1.compute.internal80http 23542300x80000000000000007121Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:36.094{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7329D2B9D19ED0C3B5219952373543B5,SHA256=C11F00A4E64949E32DBE814FD4918DF78149D9C59331F9C4D9170B657052148E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022689Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:36.139{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A4E0D38FFEFEADFDB0614B483D591DA,SHA256=B4D6F46C2F7D72189D62C273F349333737E2EC88BC6F8508A36C7AE15BDE8AC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007126Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:37.094{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22555201617F83C53726214896F6AE57,SHA256=A6CE2E294005CA2A7C20EF0A4C8E9426EB82BD8E7DF39B82F8E7C31FBAC3283F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022691Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:37.316{6EDEAD03-FC2A-615B-3000-00000000FB01}2280NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00ade5b11017bd16f\channels\health\respondent-20211005071805-021MD5=AA6F78CCC35FD74424B933C975A9F779,SHA256=482DFC86E7C4A11E76E3E352EB64B396C84C083D9F57F37823883232EC55A225,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022690Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:37.141{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14B6B7CE5B08967B4E90F1A7F682D9CE,SHA256=FB30AE997575F17ED35B72D001F0B33D1B5E44BBE03561812BD07EE00C739D12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007127Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:38.102{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD2368B334178A0552887BBC44640AFE,SHA256=894BC7DDF31732F74AE5205EE2223D5A82E8090EB7763309CA955B656D7279BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022694Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:38.690{6EDEAD03-FCBF-615B-AF00-00000000FB01}416NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=77A3FAE6E3D081057742F67BE17D48F0,SHA256=B45196262D41012541FDA928C2D6D89C531ACA10A8054FE8E2047913CDE27561,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022693Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:38.317{6EDEAD03-FC2A-615B-3000-00000000FB01}2280NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00ade5b11017bd16f\channels\health\surveyor-20211005071802-022MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022692Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:38.144{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14D4ED88EBFA2C05CC556C5966D04D86,SHA256=06CFBA4C04085D044672AA4CCB3EDFECB9808EE1D8FDF49FF10715FDFB5A6109,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007129Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:38.149{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49871-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000007128Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:39.102{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37F2AA29FC304F46F5439F7DF9092524,SHA256=66005B6E6EF2E115219FD6891CD1B460F214C9F9AD0D78ACBBBD311774BDC086,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022695Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:39.146{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10CFE3E268275F8BC4EFE08F6E31F0DD,SHA256=0F1B80D9D791C1356A510D04B98393395BFD30C6FD977E1A57551145DCDBF2CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022705Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:40.349{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-0178-615C-0C05-00000000FB01}7056C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022704Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:40.349{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022703Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:40.349{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022702Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:40.349{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022701Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:40.349{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022700Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:40.349{6EDEAD03-FC1A-615B-0500-00000000FB01}412428C:\Windows\system32\csrss.exe{6EDEAD03-0178-615C-0C05-00000000FB01}7056C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022699Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:40.349{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-0178-615C-0C05-00000000FB01}7056C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000022698Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:40.350{6EDEAD03-0178-615C-0C05-00000000FB01}7056C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022697Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:40.162{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFD25D92179C31E23B5D1100C4046570,SHA256=1FA1FC2329D6A667664DA5E5551ABF0726B2818616576838EFB51EF7EBDC787D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007130Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:40.102{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABAF52ED438C51A2A5373762BFFB46C1,SHA256=D17D0AD6647163B52D55FB9220CC1512BD6C528A6AD5684E1DD4C995A01C94E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022696Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:38.282{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61903-false10.0.1.12-8089- 23542300x80000000000000007131Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:41.102{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B952BEC2C7C058EA85B56FA5E867F20,SHA256=1C51DA05BFFF5C59BA3B20B3579DAFCD03BEFED76F737A6F2783A21F2A39F920,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022726Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:41.693{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-0179-615C-0E05-00000000FB01}6396C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022725Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:41.693{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022724Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:41.693{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022723Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:41.693{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022722Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:41.693{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022721Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:41.693{6EDEAD03-FC1A-615B-0500-00000000FB01}4122304C:\Windows\system32\csrss.exe{6EDEAD03-0179-615C-0E05-00000000FB01}6396C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022720Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:41.693{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-0179-615C-0E05-00000000FB01}6396C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000022719Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:41.694{6EDEAD03-0179-615C-0E05-00000000FB01}6396C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022718Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:41.365{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5DCDBC5861488B13F05EAD37B9C91AD1,SHA256=B2CC845AD0162E6A74F8D5B32E6CE98D89FECA4985BDC3B90B5000CFFC499DFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022717Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:41.365{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2298E7FEF38790D382D98E21E3E63869,SHA256=44EA053C67B09B9438A252BBD4255488A7BFFB4125479835D97F91D4438D6DAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022716Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:41.177{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B4A1F358A4BC012C053305DD0F5FD30,SHA256=5A917626771995A30281E590806B9D94332CE24305B69BA5F081F7A8D3DCB4B6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022715Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:41.177{6EDEAD03-0179-615C-0D05-00000000FB01}56926356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000022714Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:38.675{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61904-false10.0.1.12-8000- 10341000x800000000000000022713Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:41.021{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-0179-615C-0D05-00000000FB01}5692C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022712Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:41.021{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022711Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:41.021{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022710Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:41.021{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022709Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:41.021{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022708Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:41.021{6EDEAD03-FC1A-615B-0500-00000000FB01}4122304C:\Windows\system32\csrss.exe{6EDEAD03-0179-615C-0D05-00000000FB01}5692C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022707Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:41.021{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-0179-615C-0D05-00000000FB01}5692C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000022706Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:41.022{6EDEAD03-0179-615C-0D05-00000000FB01}5692C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007133Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:42.992{49C67628-FE68-615B-9F00-00000000FC01}1772NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=77A3FAE6E3D081057742F67BE17D48F0,SHA256=B45196262D41012541FDA928C2D6D89C531ACA10A8054FE8E2047913CDE27561,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007132Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:42.102{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98513F3AC41A8F8D52651E717F503DA6,SHA256=807D931434972354CBC30B378F7B7011E3031FC76E38A6F83E53D396569B0C26,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022737Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:42.787{6EDEAD03-017A-615C-0F05-00000000FB01}63844524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000022736Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:42.709{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5DCDBC5861488B13F05EAD37B9C91AD1,SHA256=B2CC845AD0162E6A74F8D5B32E6CE98D89FECA4985BDC3B90B5000CFFC499DFD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022735Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:42.568{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-017A-615C-0F05-00000000FB01}6384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022734Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:42.568{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022733Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:42.568{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022732Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:42.568{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022731Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:42.568{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022730Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:42.568{6EDEAD03-FC1A-615B-0500-00000000FB01}412528C:\Windows\system32\csrss.exe{6EDEAD03-017A-615C-0F05-00000000FB01}6384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022729Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:42.568{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-017A-615C-0F05-00000000FB01}6384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000022728Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:42.569{6EDEAD03-017A-615C-0F05-00000000FB01}6384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022727Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:42.193{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA0AEBDFD58401EFC1FEAA95B5505E2B,SHA256=05145AD1C0F1DB50427221D28411A6CA5079FDD0BEC391247F95FBD0A27FB478,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007134Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:43.117{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E519AE5789F9AFC78FA95F6CEA67B0E,SHA256=D0C3A8450FD067B2F005C0639A9853054BB153B89CF6610A09D5774D581D584B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022747Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:43.240{6EDEAD03-017B-615C-1005-00000000FB01}64007080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000022746Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:43.208{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=121D713BCA185480C1A75F77711A99F9,SHA256=ED07D3EE71A2E1C536806749AD88C7A306B721E8BBC90FC72F52E98E56787187,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022745Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:43.068{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-017B-615C-1005-00000000FB01}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022744Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:43.068{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022743Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:43.068{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022742Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:43.068{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022741Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:43.068{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022740Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:43.068{6EDEAD03-FC1A-615B-0500-00000000FB01}412528C:\Windows\system32\csrss.exe{6EDEAD03-017B-615C-1005-00000000FB01}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022739Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:43.068{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-017B-615C-1005-00000000FB01}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000022738Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:43.069{6EDEAD03-017B-615C-1005-00000000FB01}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022766Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:44.740{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-017C-615C-1205-00000000FB01}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022765Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:44.740{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022764Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:44.740{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022763Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:44.740{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022762Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:44.740{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022761Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:44.740{6EDEAD03-FC1A-615B-0500-00000000FB01}412528C:\Windows\system32\csrss.exe{6EDEAD03-017C-615C-1205-00000000FB01}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022760Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:44.740{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-017C-615C-1205-00000000FB01}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000022759Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:44.740{6EDEAD03-017C-615C-1205-00000000FB01}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022758Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:44.224{6EDEAD03-017C-615C-1105-00000000FB01}65363400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000022757Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:44.208{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8DAEAFBC2748063794F0212C034D505,SHA256=4EC818964A23BA0DDB0F488C40F5B362257F6523180995E02C02383A70146E17,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007149Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:44.899{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-017C-615C-4001-00000000FC01}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007148Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:44.899{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007147Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:44.899{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007146Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:44.899{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007145Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:44.899{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007144Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:44.899{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007143Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:44.899{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007142Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:44.899{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007141Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:44.899{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007140Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:44.899{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007139Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:44.899{49C67628-FDEB-615B-0500-00000000FC01}416432C:\Windows\system32\csrss.exe{49C67628-017C-615C-4001-00000000FC01}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007138Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:44.899{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-017C-615C-4001-00000000FC01}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007137Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:44.899{49C67628-017C-615C-4001-00000000FC01}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007136Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:44.133{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ACD9869B7E3A84B03835C128E8C036B,SHA256=7153625825235203D7AB4582F2723B2AF79FBA3390EAF92BB33AC00B9FD36AFF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007135Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:43.008{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49872-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000022756Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:44.083{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D76907F19CAB2E342299F7A449D5CD2,SHA256=F2ED4EEB016B6B6D776FA29D4F606DA322049D22BDF0E3385BEB408557183627,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022755Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:44.068{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-017C-615C-1105-00000000FB01}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022754Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:44.068{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022753Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:44.068{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022752Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:44.068{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022751Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:44.068{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022750Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:44.068{6EDEAD03-FC1A-615B-0500-00000000FB01}412428C:\Windows\system32\csrss.exe{6EDEAD03-017C-615C-1105-00000000FB01}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022749Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:44.068{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-017C-615C-1105-00000000FB01}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000022748Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:44.069{6EDEAD03-017C-615C-1105-00000000FB01}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007167Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:45.945{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FF550A62857B5E01AEF65BD8D3EA4663,SHA256=8264CF26FAFDAB29CAEEC2364A532649EBB8B1DD5A3E75F72D98683FC44044A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007166Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:45.945{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7094C58B1FE9CA1608D9E6146BC688F0,SHA256=40A1ADF12A99437D5603BFFFFC743440FFDE29C07086F19CEA586FB47C22394F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007165Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:45.758{49C67628-017D-615C-4101-00000000FC01}24962104C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007164Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:45.570{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-017D-615C-4101-00000000FC01}2496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007163Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:45.570{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007162Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:45.570{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007161Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:45.570{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007160Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:45.570{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007159Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:45.570{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007158Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:45.570{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007157Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:45.570{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007156Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:45.570{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007155Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:45.570{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007154Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:45.570{49C67628-FDEB-615B-0500-00000000FC01}4161032C:\Windows\system32\csrss.exe{49C67628-017D-615C-4101-00000000FC01}2496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007153Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:45.570{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-017D-615C-4101-00000000FC01}2496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007152Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:45.571{49C67628-017D-615C-4101-00000000FC01}2496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007151Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:45.149{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45A21497331F42D82E7AC0991B7DDF1C,SHA256=B9E398F45B66A1ADB2210319288D54A790FEE3D3DF8C03485F4BE8A65A9F5EE0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007150Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:43.149{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49873-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000022768Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:45.958{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=869CB5C6D18790ECC1E72A9B5A66603B,SHA256=2E7CE1E6B887EFA68D5CC3B6AEF3C3991EF2C19B0DCE7EC1556A1AE5C1AE94A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022767Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:45.224{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CD45D16363CFCBBBA936ABBD7E76F2E,SHA256=62D2F2476933FABE4F3FED2B395569057818A697225CE280C97B0A455AC53EF5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007181Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:46.242{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-017E-615C-4201-00000000FC01}2508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007180Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:46.242{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007179Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:46.242{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007178Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:46.242{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007177Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:46.242{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007176Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:46.242{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007175Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:46.242{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007174Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:46.242{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007173Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:46.242{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007172Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:46.242{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007171Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:46.242{49C67628-FDEB-615B-0500-00000000FC01}4161032C:\Windows\system32\csrss.exe{49C67628-017E-615C-4201-00000000FC01}2508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007170Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:46.242{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-017E-615C-4201-00000000FC01}2508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007169Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:46.243{49C67628-017E-615C-4201-00000000FC01}2508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007168Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:46.164{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=032D15CC14A00B0DD332A8FB40D71389,SHA256=DA4D73306CBF9B864D1DDE5B0DC2C61713675655999DB5BCC561552439865015,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022770Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:44.676{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61905-false10.0.1.12-8000- 23542300x800000000000000022769Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:46.224{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC031A25D8273AF913C5B5876960B042,SHA256=B063F2A44C7DBA1D09A581627C4AB7164FABF7A4FA1A6CA31CC2CB541D03DE9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022771Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:47.224{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A23A7772734D086F343B5CED069CE36,SHA256=4FAA4A4A6CB6E9692E4532F3C1A8C56D2138A56DB3D4D14E35E4EB9890201F15,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007197Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:47.399{49C67628-017F-615C-4301-00000000FC01}30563604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007196Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:47.258{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FF550A62857B5E01AEF65BD8D3EA4663,SHA256=8264CF26FAFDAB29CAEEC2364A532649EBB8B1DD5A3E75F72D98683FC44044A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007195Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:47.180{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=200704990AA4E631D030A8F699A53780,SHA256=311D97E4355F56CF4D4E1B123C3A68979B3574B07FAE52FC7EB456D75F930D02,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007194Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:47.180{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-017F-615C-4301-00000000FC01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007193Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:47.180{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007192Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:47.180{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007191Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:47.180{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007190Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:47.180{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007189Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:47.180{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007188Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:47.180{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007187Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:47.180{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007186Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:47.180{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007185Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:47.180{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007184Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:47.180{49C67628-FDEB-615B-0500-00000000FC01}416532C:\Windows\system32\csrss.exe{49C67628-017F-615C-4301-00000000FC01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007183Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:47.180{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-017F-615C-4301-00000000FC01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007182Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:47.181{49C67628-017F-615C-4301-00000000FC01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000007225Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:48.961{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-0180-615C-4501-00000000FC01}3500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007224Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:48.961{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007223Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:48.961{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007222Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:48.961{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007221Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:48.961{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007220Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:48.961{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007219Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:48.961{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007218Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:48.961{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007217Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:48.961{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007216Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:48.961{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007215Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:48.961{49C67628-FDEB-615B-0500-00000000FC01}416532C:\Windows\system32\csrss.exe{49C67628-0180-615C-4501-00000000FC01}3500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007214Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:48.961{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-0180-615C-4501-00000000FC01}3500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007213Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:48.962{49C67628-0180-615C-4501-00000000FC01}3500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000007212Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:48.430{49C67628-0180-615C-4401-00000000FC01}39924008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007211Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:48.289{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-0180-615C-4401-00000000FC01}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007210Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:48.289{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007209Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:48.289{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007208Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:48.289{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007207Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:48.289{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007206Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:48.289{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007205Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:48.289{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007204Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:48.289{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007203Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:48.289{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007202Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:48.289{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007201Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:48.289{49C67628-FDEB-615B-0500-00000000FC01}416532C:\Windows\system32\csrss.exe{49C67628-0180-615C-4401-00000000FC01}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007200Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:48.289{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-0180-615C-4401-00000000FC01}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007199Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:48.290{49C67628-0180-615C-4401-00000000FC01}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007198Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:48.180{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F18A6AA64BBB2297F2EC156DE34BEA4B,SHA256=4E787896E2093DE8038D7541F5920FB25C229DF5C892626974006B4B04A43F0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022772Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:48.224{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C33A73B45FC79965315A9CB5757486C0,SHA256=052F9BD3018FEC88EDA8D3C535CEA74897270448F04517ADCAE72C7102F1E87B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007241Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:49.774{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-0181-615C-4601-00000000FC01}3616C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007240Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:49.774{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007239Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:49.774{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007238Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:49.774{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007237Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:49.774{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007236Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:49.774{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007235Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:49.774{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007234Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:49.774{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007233Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:49.774{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007232Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:49.774{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007231Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:49.774{49C67628-FDEB-615B-0500-00000000FC01}4161032C:\Windows\system32\csrss.exe{49C67628-0181-615C-4601-00000000FC01}3616C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007230Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:49.774{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-0181-615C-4601-00000000FC01}3616C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007229Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:49.774{49C67628-0181-615C-4601-00000000FC01}3616C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007228Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:49.461{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30E677835F9B13387C5F0D80297CD700,SHA256=0E6D6666584E6B3604F2C3A16D45A4B38FD0B87A06143B2856BEBAAE29DF2FD1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022775Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:49.646{6EDEAD03-FF62-615B-ED02-00000000FB01}48005308C:\Windows\System32\RuntimeBroker.exe{6EDEAD03-FF62-615B-EF02-00000000FB01}4920C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\TokenBroker.dll+1158a|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37f4c|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000022774Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:49.646{6EDEAD03-FF62-615B-ED02-00000000FB01}48005308C:\Windows\System32\RuntimeBroker.exe{6EDEAD03-FF62-615B-EF02-00000000FB01}4920C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+114b3|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37f4c|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 23542300x800000000000000022773Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:49.224{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAED024D81208960C1CBD98421F1B829,SHA256=EA605B71EC2370D229CDCAF58499E9BB22908EFF515F64DE27E83EB69A90919B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007227Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:49.289{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A669BDD17E336475E2F4E00E611511D0,SHA256=E111C75038CE9DACF29D6127A8A931AF9549724C76A9F32F5062CC4EDA031C87,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007226Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:49.180{49C67628-0180-615C-4501-00000000FC01}35003528C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007243Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:50.789{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5424A4CB575C0E24ABD037A8AA623861,SHA256=791AE8C4743D75872BC3DEA60C3A66579B6615CDBB212AC562D361A49D805893,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007242Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:50.633{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADE25BAE5AB25EE3BBBCC66942C0E601,SHA256=8CAB9880EF3B8AD3743073FD8ADCD7C5B4E501117B30C394573598E409FA4542,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022777Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:50.380{6EDEAD03-FC1D-615B-1200-00000000FB01}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=8B7B90EA44FE09F63747200B44E584BC,SHA256=853246EC10551DB09092AC1507025F2C9B29A0B24D38130588055907891D56CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022776Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:50.240{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=007E225175E37FBDAFA1914D3F2E935B,SHA256=F2843A66F987659105A6772F72265682D3206900F4A7A29BE279312024E1FB81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007245Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:51.867{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83BCF082ABBFF44A61F0F0953E591BEB,SHA256=CE81D9791284C58E4ADF802F4DE0554769D4D69AE7027B902BFD802E0F22CDE1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022779Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:49.816{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61906-false10.0.1.12-8000- 23542300x800000000000000022778Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:51.255{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE6539C9DD380F104A6CD455AA60542C,SHA256=057719EADFC3FEBFAC0AF2BE9DF52ECA4589F7CBD332509A1BA5F4ACBB0B251C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007244Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:49.150{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49874-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000007246Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:52.993{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F054787605F2B855C5FD85135FA9ABEE,SHA256=030E6FE88D844BCFE0B74F25E914C5E450AC62F1FAEF834D2C5AD89CEB0A9022,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022780Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:52.255{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60435CD82E6220AA98A070A692AF3457,SHA256=004A8975EF6B2F08506DC35EC9321BE1D26E90FFCFFE7127A668A98CFF12182B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022781Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:53.255{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF398A08FC2DEC6597D85AC59F9A1AAE,SHA256=4A8DF00AF61A90A684A24E9BE955B9496BC8425E52569445409892867F9EA832,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007247Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:54.211{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2C4943EFB913931355D9E7B934965BB,SHA256=0AF92EE13CDE1F78F1F4C0A5732452C3A240BA3A8B282FD2080A53FDC046CFB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022782Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:54.271{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF0DE71434FC726C3E28282A37768579,SHA256=18C3EE9CB29B5B0858738FDAB75647547CCCCB3FD9BF7CA064329697E3421F1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022783Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:55.271{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBFFDC7C37796D9BBED37B429FA4BA97,SHA256=F52EB3AD3B31DA2211475B100F436BA7D5A75B815709DFF3D85922AFC09F64FB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007249Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:53.132{49C67628-FDEB-615B-1100-00000000FC01}964C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:20fd:326d:f5ff:fef0win-host-340546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server 23542300x80000000000000007248Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:55.211{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A9DC65DF01C295FF66D107D4C3CEEF8,SHA256=8DDDACC7BB0326E2EA2FEF87500460C7B0BBEC69CA47120DFCB7C3DF5EBB3B98,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007252Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:54.165{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49875-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000007251Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:56.217{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0247D089677AC17BB425B941F659951C,SHA256=7F1E4479DFA4FD5AC4607365DD8F8BD3641C16D46061919FC586509C46DA3692,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022784Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:56.287{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3CC161493680C3C42C7815169637D6D,SHA256=28AEA511FA717F8DE78CDA6A97E7AD59D9CF62930EB36590B4B5EB39B2760EDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007250Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:56.041{49C67628-FDEC-615B-1F00-00000000FC01}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04b3958ebc31dc11b\channels\health\respondent-20211005072534-014MD5=9DBD3CF651CAD1963D7DD9E70795396E,SHA256=D00FE5240C0E39CC33FD8ADFFDA13197E8833401D0A3D05F731F6A79B8E00229,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007254Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:57.230{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A27DE556B68ADBC482D1B929B64A4E0,SHA256=F3CF08BFB247579A0E3291297DD3516DAED7D3669A18700BD0A2CFEBC0697FFB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022786Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:55.710{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61907-false10.0.1.12-8000- 23542300x800000000000000022785Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:57.302{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B029AAB49C4C047B6A67C71D35932E61,SHA256=6B8F5AC4CD6D65AB116F277428899B697543F4D44E58E8B96A418FA992F7B0A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007253Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:57.046{49C67628-FDEC-615B-1F00-00000000FC01}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04b3958ebc31dc11b\channels\health\surveyor-20211005072532-015MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007255Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:58.239{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B3547E94E58D2FA982FE727AE3A6C75,SHA256=DE6D240B8B73EEE5F2E7E3638498962B20E29969B9FB4EB26D6749BD5FE3A479,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022787Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:58.310{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E47A809368844D44DD4FC221756C000,SHA256=4628DC6F2DA9D1DBEB3A98660D96DDF62638CB9BC209CAC5B9CE876680EC2874,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022788Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:40:59.310{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8CA66E82759514D32A3043561A21B92,SHA256=F5F91FF46B1B7D74CD4433C6BC677960BB41DB588A5900AEA3C81D70318ECFB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007256Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:40:59.239{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BA1E7306B725A2A62316D455BBB2819,SHA256=BE7BD2C544D3BDA0CB070F52D8403012DB0D4F6F23B8DBE9CF4ECEF374D9D4F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007257Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:00.255{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51C1A9A601F8FABFCAC65CEC023C685B,SHA256=F29E8C0C9A47F4A6D5C9D44DFE69290EF9705017B7DBBCBDB88DA95F9CA0A247,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022789Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:00.326{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87DCC8EAA96C3A883BD67D095703B3D9,SHA256=16535A8C16FFC17F8A036CF904DE4FE8BAD2CDE44F5840C2A40296FF989010A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007259Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:00.146{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49876-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000007258Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:01.270{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A34807D2FEE8355E7B31628B1CFC500,SHA256=857A96D0F5EC78F98213FFB2BE383BFCE72703AEE0224E4BBB5CE9CF22178828,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022790Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:01.326{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3958FCA0F26A2EAEBC8EE20EADDB9C76,SHA256=0A155BF1930D81A74FA7EFBCC9BA502ABFF2D4F322612CEAB6F82C2D59F059CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007260Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:02.270{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=011F69DDF8233FE8150694983A038CC4,SHA256=211878EC8E9A7CF131E423679B13E8F86A01261AE4839B2DDECE03EA17FE813D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022791Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:02.326{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB253A4CC352ADD56797406837E51167,SHA256=0D8D9D1B0F6B0E8AFBE4557F28A17E73CAA3EC6522D9907F0BB024684B5083EA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022793Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:01.668{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61908-false10.0.1.12-8000- 23542300x800000000000000022792Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:03.342{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89F28FFEBF35C6CE013611EA6E23818A,SHA256=31D7A420F731B8861314EED7F729E6ADCAAA34BBD5160EFF42807D954844168D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007261Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:03.270{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=345B1D8BA881207088525441202620F7,SHA256=9E6EA87268AB92B7C71ACFFC52336AA988F0335B5AE5E60922A6A52186783CD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007262Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:04.270{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69A12A922E0EC5D500E8A6E57310DDF3,SHA256=D72B159DF29554376D61FE4EFB4F862DD517D0196C38C7513205C349FBB821A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022794Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:04.357{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BAC591F212FFD2629C3B64D45944D3F,SHA256=3CC10BD03BA01404FCF5775CA8B061BE27A6FB811E330E07FE20C160EDB190B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007263Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:05.270{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA9D50B33F4A5D4EAB0EE094BEE57CEC,SHA256=B2A421419A4D132499831232AECDE4FFEDD426A5BE6F5388A2870822F4B3EE2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022795Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:05.420{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=503211BD34D61AC306A72AB099E2D3CC,SHA256=90D0553EFC2FEE63A9E0A647EC42BB4446169002C6F990A6A02038BE7B0320D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007264Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:06.286{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB3A22762F030CB63E21CDC377A309E3,SHA256=842FEB67319B4433E0D3E7093ADA86BB76C0C333AD96E09BF01E89C15A9563DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022796Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:06.420{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FE6B256662B55ED139319AB7917D882,SHA256=1E345C2EE506AF46006333319940771D779AC375AC21B74F10B8135C6E51368D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022797Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:07.435{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E91CCAB43A9D00D7421CCEF21820798,SHA256=94542AB1A8AC169D7CF4BF6C1C6F082B40F0E2EAFCB4035D6D38E03461928CED,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007266Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:06.099{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49877-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000007265Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:07.286{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B5FBF237B4A57C1B53BFEF8DE0F7455,SHA256=4868ADA77C69E4A82BC961A982310B18CA96F8F05BE81239BB967AF01284D678,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007267Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:08.302{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B66587FB23CAFA1A06F6AF20EE3621C8,SHA256=DDBF6536BEFC629656A788DDD053D19267504869513564AA98D635BF1636EFC0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022799Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:06.715{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61909-false10.0.1.12-8000- 23542300x800000000000000022798Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:08.435{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06DAF4293C8991D7007D09D270D3AD3F,SHA256=DBCF7239490CE59BEF3AD07A62F9B1B3A9558DE9D0A1449126ECA637EC9CC81A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007268Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:09.302{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E989A16AB729B497C699946C71C16983,SHA256=8F88A3176B9DA1EFDB47AFEBBC27829CCF5CD9B8C40CB951636C49614DEB5FB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022800Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:09.451{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50618283FEC8CEBF41A1A773995209B7,SHA256=AA39E31A8C6776021140E6AB299F2A1CDA2FE872BBA9F8CA133521C0043C8052,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007269Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:10.302{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F15702EDD59403481C60CD52E45BE4E7,SHA256=D7404BBACEAFDE8681DA66FD23BA7EF4931CF3A5C7965CBBD17E93B2A23E419F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022801Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:10.467{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEF42A8DB94AFB0ECED9225EA029DE2E,SHA256=15EC8F7FC80DF3225D509EDEEEF0E8CFB5897670C5D93576D1C7164DA300F4F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022802Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:11.498{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AC83BF157BE1DDAD5908E1884A78C9E,SHA256=58FBB94020D086A91B8A31C11C573569A89F81CA78448C293A50D6D370A07584,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007270Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:11.302{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05DFC4053B65858FDE2B408DCF399FCE,SHA256=708A0A61A88942619AE0BA2E26AE9FF54093C60034C204AC7A0D0956FE6BF856,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022803Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:12.545{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EC6D25B95D8B25EBA8632976E21E550,SHA256=C64BAB99CDA048FACD46789F55748148F650DA6ABC60777FD94FF2FD9093CDFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007271Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:12.302{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FF722130F7B369A2BD05C43C79811A1,SHA256=9973BDE02FC4B10006FBFFE2DAC82534D989C18EE45B5C672C48399C4813675E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007273Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:13.458{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C857F3A9A3B19CC87F9333F7E856904,SHA256=6A0359B27C387BADDC88BFEC4072F246456506D51316E475C53A28953B4B90AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022804Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:13.560{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=001A9568B582566F9F504C67FDC0D618,SHA256=4EE75D6EA6A950C3F4559193117F7BC2A765B3F207A19E793A921806CF3A8F05,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007272Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:11.288{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49878-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000007274Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:14.692{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA244F5A6AB5D2BE80A9A81FEB59F1A8,SHA256=9920CF8A26DC0BB75968796576CFA062EB8F0A0AFB917F36AD276D219A1C97E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022805Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:14.560{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07B1984A84636F9CCED142057533A720,SHA256=B6F0E6B9077BDEEEB287FCBA0C31EECFD1D22D0EDEC5B5E056BCB550C0F9AB38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007275Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:15.739{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=140125BA9A516F6C8E44FB5EB2F2A3DB,SHA256=2D1A8AA859F005C16E36899DAFEEE231683E9ED562B9F20C91E88622E99F67B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022809Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:15.951{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=9B9C06D804F28844F8B5C8F346B4EB0B,SHA256=08D1B047A35A9D03D7997F35503F9DF93466A1CBD6105A2B59C4A3008837A204,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022808Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:15.951{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=DD6BF52869B316356AB8B791E2A6A4E1,SHA256=949E3E1A9385B39867A4BFCC554FE4BD26441C3DF137D2B9A2A1C170AFD1D71F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022807Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:15.576{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=949DD6A2595D5D448EC79B989524FDE3,SHA256=46F870971D77182F9206703DE22FFB8BB3F801CBF2C33E682CDA423D72CED548,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022806Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:12.699{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61910-false10.0.1.12-8000- 23542300x80000000000000007276Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:16.833{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5333FD1EDA2292E774D23098CEE512AE,SHA256=5FD03DCAA73DA522706CDE80F3760772B55C8B1674C2BDE7A29AE008E3B68B92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022810Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:16.592{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=776CECB5A0B399EB9279DDAD57EBC442,SHA256=4298EC3B491D434EBF2E1481A1FB450B1372E8523E794D2CB99DFE9915F57293,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022813Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:17.618{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B30C9D6DAF57E6F1A7B78027F5C2D92,SHA256=3E1C140E0AA376091ED9C6829C92B2E0049AFF620AB54D65F598F51CFC3F2224,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022812Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:17.310{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9ECA750A44A61C03F25AFDBCD91F3345,SHA256=492E51E760954A56912DA65DA4A145FFBC338C8CF798F6C12DA80C982FCD534E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022811Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:17.310{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C9F8A371A8B817A02206A574BD77342F,SHA256=1A3E8AB0108709FD8A678CB1B6E0B3C20044807295DCBB390AC61DA6065B39A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022816Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:18.634{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D86B1A60E7E6014B59F17A56ABFE155A,SHA256=BB5FA3DFE6C6A08249C4FE6807F2F46473AE4F03F453A406CE43B8C95C376CC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007277Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:18.013{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE2F73CB2D80B9CD98BC1BA0917A3272,SHA256=B1F82D6CC686BC680E1742DA76CC1C8F692291AA059514FEE3E81922FAB7DB0A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022815Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:15.903{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local61911-true0:0:0:0:0:0:0:1win-dc-676.attackrange.local389ldap 354300x800000000000000022814Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:15.903{6EDEAD03-FC2A-615B-2900-00000000FB01}2912C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local61911-true0:0:0:0:0:0:0:1win-dc-676.attackrange.local389ldap 23542300x800000000000000022817Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:19.665{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=776FD1FD9E8E61464056DDF1144ACFBA,SHA256=0F369188B7FFCADA6C52BDA95F89C203FA89014E6E6FC731983FAE2961C9C9A2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007279Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:17.146{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49879-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000007278Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:19.138{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6482C75862CA1ACCE76EBAD319469FCA,SHA256=738314EE1C59770AE1A9956B34B205EA0DB50C25B54E3936790444B0DFFD311E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022819Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:20.681{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C2B174E4E4B27D3AC54D1F296A57831,SHA256=8957CF38E0B6534D71B48C74E6A0D2B652EA70DA3E08470B5584031304AECD8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007280Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:20.278{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E996647DC9FF0E2BF7A5062B7D0338A,SHA256=A3B117CB378AF8060987EFE42716667D505F6B9F4D0E70C1AAC181FE36837C4A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022818Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:17.741{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61912-false10.0.1.12-8000- 23542300x800000000000000022820Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:21.759{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5277889BF3B6B6EE406BE19802CD487A,SHA256=5819541B84444E1E4FCC6CA764714962737E33C1E92C2ECD7BC537546B611967,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007281Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:21.356{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7249A861FD047656DD313E38FF1A5306,SHA256=0760737521C41269F95F0CE8C05099940EC81E5744D01B179BAB7D896D8F4167,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022821Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:22.790{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=703DBB5293DA66E0A6F4913DA1FA1948,SHA256=09568EE9CCB48074D1D834554B07B84DAC4B3CB839FD3A82C423CF5CA2C5F162,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007282Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:22.372{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE604C844D8C9C685B0550AED5008244,SHA256=9D887F6EC8852BB1C552273092087E9A6EFA785E638CB7A362AFD5F0DE690CA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022822Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:23.806{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=590C3529E6DC472F8177FA6CDB9EA5FC,SHA256=9A7C028984F62B19602F235C30A4DF5869E6BA733D7469A9F2A57AB9906D2333,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007283Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:23.372{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E17D550F92F21C822811A123A819349,SHA256=E77C90AC9E6F73CDE40561727098BBF2912934999A2906776D5335283D16DEA4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007285Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:22.185{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49880-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000007284Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:24.372{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F032E40DFC1B667590759F7FBF92B46D,SHA256=8771FDEBB4EDEA588856AF6A51881D7D309DB16A1199D703F3AC4B655BF23D82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007286Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:25.372{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C5E6968963FCB1A3444CCB138A75987,SHA256=13A91AC56DDF2F93C51C75688FE3E38568D9F529C6840E8A14105EBC2747189E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022824Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:22.851{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61913-false10.0.1.12-8000- 23542300x800000000000000022823Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:25.009{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=758B759B63C9C78495C190C00ABE0860,SHA256=5F1949D39613F792D57DF4EBE1A6C74BB41333904391051D0D2D3557CE122AF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007287Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:26.372{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB3DCFF3F35548DC7C894DDF84B8E05B,SHA256=08ABF10C9DC2F1D89E2CE3F61D9187F1BD7EABFC067F03EA4220F87E8674B2E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022825Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:26.228{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=914DB88C9BF825553A80D3D3AC3DA1DC,SHA256=B19E764B5FB1B1EE9E30CF7D1767EB71FBBA477E66E92A68645FD7007C2596FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022826Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:27.259{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33F5F4AB40B09921EA2E3CAE97FB3DDF,SHA256=E46957EF954618EBA677759A3A0B53EF1EAC531FBD9238AB48ED5283518CD2C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007288Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:27.388{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6A8718210E6DE021C5F6961091D918F,SHA256=517FDA232707E67C982F6310C9636B5BDEF15FFB7E5F27C95161754D7F5B0F86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022827Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:28.274{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C5FFDBC69FFA32D291483325FCC2BB2,SHA256=050A1E69B318D59AEE338F3DD3C90D6852CE0939490B4E42961A19FB491E8D36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007289Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:28.388{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A69B501ACC30BA2E4B69B54C832B298,SHA256=10071AC788849F2B191DC5E06CA42970D3FEF8E72C208508BD63273BC65D8517,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007291Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:28.216{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49881-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000007290Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:29.403{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEBA8C420B5EACF35B1FF111E06F8505,SHA256=23CC178424FD3EA73D7FCF472937EE6DD951D99AE47789721EBCEAFA600F3850,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022828Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:29.321{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDA3DAC7290F305D139F96FEAA115482,SHA256=B1C866A98A08A9E106F09FEA56FE91A6DF69999CA42197BFB6D20D87ECC44564,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007292Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:30.419{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=044C830D174A880FB6A9C7CBCA49FE88,SHA256=CAE4A3B967C09E5388C9AF60ECDD7BB6871C1BCAAB8D9D3876FC406E3CFEFDA6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022830Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:27.866{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61914-false10.0.1.12-8000- 23542300x800000000000000022829Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:30.337{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=186B34F559DAFB1AA0D70A2B72FCB953,SHA256=6C583C09B440C8277B4D3B46BABE731F70F6791A03EDEB18528387A5AF927C38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022831Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:31.384{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75DEA19B8B4A73A668E7A69FF29F5C62,SHA256=8DCFCD5C348826636C5396119F602A8F42B6F814A97B5631A408BE6D74280A13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007293Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:31.435{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F98B455A601C680C9CCEFAAAEC084B4,SHA256=3580FFCAAA2DB50A7712DFDFF7CB40A9361FDE51A6FB1B6A28D71C3BF6B093A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022832Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:32.384{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9098700230E0468C512A20F76A8EAFC,SHA256=12F6B5C7824E7348388F619932DD66FA9CD21028711C0737EA7AA760C7027C56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007295Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:32.435{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBB50ECF9B1F1B0874B74BB886AF5F6F,SHA256=2DB7B4901BC38C73C845D68756767C6A6A3DF10673CFEB3FBA0DEBBD8A1A8389,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007294Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:32.153{49C67628-FDEB-615B-1100-00000000FC01}964NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=856B4E6EEF5392FDB5E18C22A3D653C7,SHA256=999B959FA192DBB883E1472241D324460316EF5660465B8E169C6A1D14F847B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007296Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:33.450{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E9EF200785088CB188BCF59B3D16ECE,SHA256=FB1A16178C0AED73E7F8600299E68660F9CF864B3C59DA4E9845BF1765FB3C88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022833Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:33.431{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7DE902052B7CFE256428B6AA869869D,SHA256=80895DD0C610552A91362B1E0038F3113A75C20DF6A0657CEC41F199084039E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022834Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:34.446{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A84CD2FF60D4B54EBD1C1927EAA9FEB,SHA256=CBC039825BBC2D28BA7E549020A6F913D4DC9B086D1F558307558E71EA237348,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007297Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:34.450{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=449813B018D25AD9404EF1603F99175D,SHA256=84843921B572B716CE46F693A7CB828B82864876EFDBB45454AF43595545C391,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022836Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:33.741{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61915-false10.0.1.12-8000- 23542300x800000000000000022835Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:35.509{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0075BFCBBE901E71DBCD1311CC13D4DE,SHA256=1CB8ACA495548532EDEF1FA95FF91E14F5343F235770D181F145804F6C42E692,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007299Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:33.232{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49882-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000007298Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:35.450{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B384B879DA3C2448E8E00156FA235B31,SHA256=25129FBA7AA6D1BAD7E0C34CA4E01BBA64C1B3F2A2E9A29E64496E51C2A03234,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022837Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:36.524{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=548C3A4F2174BB1A110F100D99DC45CF,SHA256=2AE667571F868AC92941E36924B7B5BC29B43B2BA793B542094C5B9F226E858E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007300Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:36.466{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CD8547EDD56B150BA3057B2AE1FFD0C,SHA256=522B38FAD35D90FDD9868D3A6C41BF91AD0D0D80A53A6B7440B560351C243CCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022838Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:37.659{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A760A649F8A35DC2F0F49F9349741E4E,SHA256=3E023768172F6B7A51F58E96FE1F76C6BC96B92BD594B74DC9F034163A87DA58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007301Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:37.466{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71849BD7C5FC3FBB006445AD01511E77,SHA256=79905E0B8A8FAFB6A75E5106FCD6B273E2108B0673DC31AA016D6216E9CFC166,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022841Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:38.850{6EDEAD03-FC2A-615B-3000-00000000FB01}2280NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00ade5b11017bd16f\channels\health\respondent-20211005071805-022MD5=AA6F78CCC35FD74424B933C975A9F779,SHA256=482DFC86E7C4A11E76E3E352EB64B396C84C083D9F57F37823883232EC55A225,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022840Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:38.707{6EDEAD03-FCBF-615B-AF00-00000000FB01}416NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=77A3FAE6E3D081057742F67BE17D48F0,SHA256=B45196262D41012541FDA928C2D6D89C531ACA10A8054FE8E2047913CDE27561,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022839Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:38.660{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93954928046E9F6A97DA38CC49A9BDCE,SHA256=DEA9592F3117154E544B2E4E287C733D71ACEE1C2F04F9CA521685957832DD01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007302Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:38.466{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59907C5A5FA284238FC4A915A52941D8,SHA256=EA1919262C5272E400CAD8CCBFE4F7397197D2750BD89DECD999ABBC93AC20FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022843Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:39.864{6EDEAD03-FC2A-615B-3000-00000000FB01}2280NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00ade5b11017bd16f\channels\health\surveyor-20211005071802-023MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022842Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:39.675{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=526B41EB227E47B81C0BDF9D8C2C44DF,SHA256=F10EFD2C5E27D428E627AB4092950D91CB705BE198E3BE5F8FCB208E34360324,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007303Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:39.481{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6341B8A2E97185F442AD1E6CFE0DB7CB,SHA256=24CF0AEB6D1507BFD6F65503BB665CBD6FA4E97027FB4F165138DAB2CD34C179,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007305Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:39.154{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49883-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000007304Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:40.481{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48FDE1D5874C2B49DC161813C1336413,SHA256=128FEC231D68E165E9EBFF1BA987112C132E11462F4089E90578828733DF5E15,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022853Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:38.299{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61916-false10.0.1.12-8089- 23542300x800000000000000022852Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:40.678{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D466E625B300136920D622C2348BDE66,SHA256=4AFD025693040F107DEA540D300065E83302D6AD225C8E533B7E9D7E2B354AA4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022851Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:40.346{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-01B4-615C-1305-00000000FB01}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022850Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:40.346{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022849Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:40.346{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022848Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:40.346{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022847Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:40.346{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022846Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:40.346{6EDEAD03-FC1A-615B-0500-00000000FB01}4122304C:\Windows\system32\csrss.exe{6EDEAD03-01B4-615C-1305-00000000FB01}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022845Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:40.346{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-01B4-615C-1305-00000000FB01}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000022844Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:40.347{6EDEAD03-01B4-615C-1305-00000000FB01}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007306Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:41.481{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=038B5C3B518C24CF7A22B43B204DED0B,SHA256=0DC11C5ED19C0256F9FB1155C065BFFEC920982DBD86F4872B0A60EED5F163EA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022874Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:39.735{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61917-false10.0.1.12-8000- 23542300x800000000000000022873Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:41.710{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5961077327378412437C4C5F878B06C1,SHA256=E88273541CD74433C562F7F3EC37C61EE1F0EF81C9D060A75AF38727A97167A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022872Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:41.694{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-01B5-615C-1505-00000000FB01}4216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022871Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:41.694{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022870Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:41.694{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022869Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:41.694{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022868Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:41.694{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022867Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:41.694{6EDEAD03-FC1A-615B-0500-00000000FB01}4122304C:\Windows\system32\csrss.exe{6EDEAD03-01B5-615C-1505-00000000FB01}4216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022866Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:41.694{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-01B5-615C-1505-00000000FB01}4216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000022865Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:41.695{6EDEAD03-01B5-615C-1505-00000000FB01}4216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022864Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:41.366{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE10B203CECD08D64FC0DA166E66985B,SHA256=662B28C5EBBDA09B9CF22C2550CAB29BA23E585F38FCE5F9AC6536E66575B44C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022863Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:41.366{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9ECA750A44A61C03F25AFDBCD91F3345,SHA256=492E51E760954A56912DA65DA4A145FFBC338C8CF798F6C12DA80C982FCD534E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022862Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:41.179{6EDEAD03-01B5-615C-1405-00000000FB01}34647000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022861Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:41.022{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-01B5-615C-1405-00000000FB01}3464C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022860Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:41.022{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022859Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:41.022{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022858Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:41.022{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022857Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:41.022{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022856Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:41.022{6EDEAD03-FC1A-615B-0500-00000000FB01}4122304C:\Windows\system32\csrss.exe{6EDEAD03-01B5-615C-1405-00000000FB01}3464C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022855Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:41.022{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-01B5-615C-1405-00000000FB01}3464C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000022854Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:41.023{6EDEAD03-01B5-615C-1405-00000000FB01}3464C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022885Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:42.803{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32A4B5545AD2CB8F1270DEE1F53EF0B4,SHA256=8C5D3A478C4E17010A1ABB1C7033690B334070518DB99DE5DEB6253D10B130B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007307Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:42.481{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FED47F3F6BC002CBB012900C1741586B,SHA256=787F588C3EDC500125D6F949BF5446273AC3912D0F7A26D88A7EC33ED9F27119,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022884Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:42.741{6EDEAD03-01B6-615C-1605-00000000FB01}71646840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000022883Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:42.694{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE10B203CECD08D64FC0DA166E66985B,SHA256=662B28C5EBBDA09B9CF22C2550CAB29BA23E585F38FCE5F9AC6536E66575B44C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022882Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:42.569{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-01B6-615C-1605-00000000FB01}7164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022881Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:42.569{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022880Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:42.569{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022879Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:42.569{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022878Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:42.569{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022877Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:42.569{6EDEAD03-FC1A-615B-0500-00000000FB01}412528C:\Windows\system32\csrss.exe{6EDEAD03-01B6-615C-1605-00000000FB01}7164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022876Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:42.569{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-01B6-615C-1605-00000000FB01}7164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000022875Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:42.570{6EDEAD03-01B6-615C-1605-00000000FB01}7164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000022907Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:41.710{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-676.attackrange.local53domainfalse10.0.1.14win-dc-676.attackrange.local63744- 354300x800000000000000022906Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:41.709{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local62955- 354300x800000000000000022905Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:41.707{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local58889- 354300x800000000000000022904Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:41.706{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-676.attackrange.local53domainfalse10.0.1.14win-dc-676.attackrange.local55532- 354300x800000000000000022903Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:41.704{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-676.attackrange.local53domainfalse10.0.1.14win-dc-676.attackrange.local61050- 354300x800000000000000022902Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:41.703{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-676.attackrange.local53domainfalse10.0.1.14win-dc-676.attackrange.local54322- 23542300x800000000000000022901Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:43.897{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52E3C671300FC79686BC90EC41E31BB0,SHA256=6B3EDD9A996BE7B5FB4840786BDB85B8446A4F33C4BC2F246EC37098BF49B417,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007309Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:43.481{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BADCAF1406384C519DCB9EB90C7193A4,SHA256=B01BF9DA348CB86A604AA7CE0E8A6C04F9CEDBE17792CC9978B91AC238072D30,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022900Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:43.428{6EDEAD03-01B7-615C-1705-00000000FB01}58847004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022899Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:43.241{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-01B7-615C-1705-00000000FB01}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022898Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:43.241{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022897Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:43.241{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022896Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:43.241{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022895Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:43.241{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022894Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:43.241{6EDEAD03-FC1A-615B-0500-00000000FB01}4122304C:\Windows\system32\csrss.exe{6EDEAD03-01B7-615C-1705-00000000FB01}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022893Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:43.241{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-01B7-615C-1705-00000000FB01}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000022892Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:43.242{6EDEAD03-01B7-615C-1705-00000000FB01}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000022891Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:41.700{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-676.attackrange.local53domainfalse10.0.1.14win-dc-676.attackrange.local61212- 354300x800000000000000022890Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:41.700{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local55190- 354300x800000000000000022889Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:41.694{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local61919-truefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local49666- 354300x800000000000000022888Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:41.694{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local61919-truefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local49666- 354300x800000000000000022887Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:41.693{6EDEAD03-FC1D-615B-0D00-00000000FB01}908C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local61918-truefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local135epmap 354300x800000000000000022886Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:41.693{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local61918-truefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local135epmap 23542300x80000000000000007308Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:43.013{49C67628-FE68-615B-9F00-00000000FC01}1772NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=77A3FAE6E3D081057742F67BE17D48F0,SHA256=B45196262D41012541FDA928C2D6D89C531ACA10A8054FE8E2047913CDE27561,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022926Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:44.975{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63FC03C0D840AA90727A3AFD2A22396F,SHA256=6F62F23A02ACB28C1B561D003347BFDF2A1E5DFB9A429B007A8B22479FB48E86,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007324Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:44.903{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-01B8-615C-4701-00000000FC01}3808C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007323Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:44.903{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007322Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:44.903{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007321Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:44.903{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007320Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:44.903{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007319Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:44.903{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007318Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:44.903{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007317Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:44.903{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007316Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:44.903{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007315Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:44.903{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007314Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:44.903{49C67628-FDEB-615B-0500-00000000FC01}416532C:\Windows\system32\csrss.exe{49C67628-01B8-615C-4701-00000000FC01}3808C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007313Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:44.903{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-01B8-615C-4701-00000000FC01}3808C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007312Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:44.904{49C67628-01B8-615C-4701-00000000FC01}3808C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000007311Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:43.029{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49884-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000007310Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:44.481{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9856849F0E4A68C9094E70A903A3C197,SHA256=ABE07E5EA35605AE8A03EE51237CAB1C61B5E20C16BEF068FD70D8B84A8CB18D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022925Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:44.694{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-01B8-615C-1905-00000000FB01}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022924Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:44.694{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022923Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:44.694{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022922Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:44.694{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022921Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:44.694{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022920Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:44.694{6EDEAD03-FC1A-615B-0500-00000000FB01}4122304C:\Windows\system32\csrss.exe{6EDEAD03-01B8-615C-1905-00000000FB01}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022919Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:44.694{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-01B8-615C-1905-00000000FB01}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000022918Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:44.695{6EDEAD03-01B8-615C-1905-00000000FB01}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022917Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:44.241{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A811A835694CD835BC873196BA4D7D5F,SHA256=DA71CA21AE593AA2A990EC7BF19C6F0E4B830BA4F9266047F1F375C19F5E126A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022916Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:44.225{6EDEAD03-01B8-615C-1805-00000000FB01}51926504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022915Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:44.022{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-01B8-615C-1805-00000000FB01}5192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022914Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:44.022{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022913Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:44.022{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022912Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:44.022{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022911Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:44.022{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022910Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:44.022{6EDEAD03-FC1A-615B-0500-00000000FB01}412528C:\Windows\system32\csrss.exe{6EDEAD03-01B8-615C-1805-00000000FB01}5192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000022909Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:44.022{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-01B8-615C-1805-00000000FB01}5192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000022908Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:44.024{6EDEAD03-01B8-615C-1805-00000000FB01}5192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022928Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:45.991{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25ADD85B63F1F9690EAAC2109957D112,SHA256=31D4FCEFB855F4F46B4950AE2139EAB8E26E9DA0863DA292182F7E8A53663CA4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007339Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:45.747{49C67628-01B9-615C-4801-00000000FC01}35403684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007338Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:45.575{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-01B9-615C-4801-00000000FC01}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007337Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:45.575{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007336Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:45.575{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007335Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:45.575{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007334Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:45.575{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007333Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:45.575{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007332Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:45.575{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007331Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:45.575{49C67628-FDEB-615B-0500-00000000FC01}4161032C:\Windows\system32\csrss.exe{49C67628-01B9-615C-4801-00000000FC01}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007330Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:45.575{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007329Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:45.575{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007328Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:45.575{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007327Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:45.575{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-01B9-615C-4801-00000000FC01}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007326Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:45.576{49C67628-01B9-615C-4801-00000000FC01}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007325Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:45.481{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46EF0CB6E96F23BDBCC49AAC662FF941,SHA256=EF8093C44D3979550B6B48771B73D9A385A26DE2BDB0B4914CD78E0454D581A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022927Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:45.710{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=20CAB64C3E41041E3930B4F405389C32,SHA256=D12C74293C259EAB264E28A1F61814F79F74A815436F66A7DDA2325BCA1DCD7D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007356Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:45.170{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49885-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000007355Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:46.591{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB3922CA6E22D087F3026476DC4AAE70,SHA256=9AB74B5F7D928923A3468FDD67F70E8FFC50BFD6081D5EC8E0822724CAB9662C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007354Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:46.231{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-01BA-615C-4901-00000000FC01}752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007353Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:46.231{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007352Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:46.231{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007351Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:46.231{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007350Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:46.231{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007349Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:46.231{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007348Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:46.231{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007347Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:46.231{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007346Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:46.231{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007345Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:46.231{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007344Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:46.231{49C67628-FDEB-615B-0500-00000000FC01}416532C:\Windows\system32\csrss.exe{49C67628-01BA-615C-4901-00000000FC01}752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007343Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:46.231{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-01BA-615C-4901-00000000FC01}752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007342Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:46.232{49C67628-01BA-615C-4901-00000000FC01}752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007341Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:46.122{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31DC339FCDA4ECCD2BD3D16B7F4FD7DB,SHA256=D0DA5B13A27804655695730B4E30461104A2E0F0ED515C1835F043F09955D763,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007340Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:46.122{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A0C0B1FE556E6DD8BF54DF08FABF1CFE,SHA256=FD86423A5EF84AC5FD124CD9E44585B8D0B94058E0067AD7817170FF74FC7DA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007372Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:47.794{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F6E193778DBC17B2D763E1707965270,SHA256=3745DDAD52E81EE4D38811EDA3271111BEC856687606FF5BFDAF6ECC40719B55,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000022940Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:41:47.569{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000022939Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:41:47.569{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00160832) 13241300x800000000000000022938Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:41:47.569{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b9b4-0x118b54e7) 13241300x800000000000000022937Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:41:47.569{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b9bc-0x734fbce7) 13241300x800000000000000022936Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:41:47.569{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b9c4-0xd51424e7) 13241300x800000000000000022935Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:41:47.569{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000022934Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:41:47.569{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00160832) 13241300x800000000000000022933Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:41:47.569{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b9b4-0x118b54e7) 13241300x800000000000000022932Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:41:47.569{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b9bc-0x734fbce7) 13241300x800000000000000022931Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:41:47.569{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b9c4-0xd51424e7) 10341000x800000000000000022930Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:47.428{6EDEAD03-FC1B-615B-0B00-00000000FB01}636804C:\Windows\system32\lsass.exe{6EDEAD03-FC18-615B-0100-00000000FB01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x800000000000000022929Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:47.053{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78F38680A8B673395732E351CAC5DE4B,SHA256=BDF1AAD7351431AAF29A1F2DDB4B5F83E33F2BE19DF6E61574049D0CFBF5F178,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007371Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:47.309{49C67628-01BB-615C-4A01-00000000FC01}9401252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007370Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:47.263{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31DC339FCDA4ECCD2BD3D16B7F4FD7DB,SHA256=D0DA5B13A27804655695730B4E30461104A2E0F0ED515C1835F043F09955D763,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007369Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:47.169{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-01BB-615C-4A01-00000000FC01}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007368Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:47.169{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007367Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:47.169{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007366Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:47.169{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007365Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:47.169{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007364Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:47.169{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007363Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:47.169{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007362Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:47.169{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007361Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:47.169{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007360Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:47.169{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007359Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:47.169{49C67628-FDEB-615B-0500-00000000FC01}416432C:\Windows\system32\csrss.exe{49C67628-01BB-615C-4A01-00000000FC01}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007358Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:47.169{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-01BB-615C-4A01-00000000FC01}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007357Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:47.170{49C67628-01BB-615C-4A01-00000000FC01}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000007400Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:48.950{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-01BC-615C-4C01-00000000FC01}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007399Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:48.950{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007398Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:48.950{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007397Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:48.950{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007396Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:48.950{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007395Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:48.950{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007394Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:48.950{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007393Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:48.950{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007392Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:48.950{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007391Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:48.950{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007390Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:48.950{49C67628-FDEB-615B-0500-00000000FC01}4161032C:\Windows\system32\csrss.exe{49C67628-01BC-615C-4C01-00000000FC01}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007389Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:48.950{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-01BC-615C-4C01-00000000FC01}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007388Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:48.951{49C67628-01BC-615C-4C01-00000000FC01}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007387Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:48.825{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B58014E67130AEBBF48C5E081FD9A59C,SHA256=20DD60D4AD510EB4F00B10D9616625CB50B5FC7944612FD655873197F5F9EA15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022943Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:48.319{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=768523FA57F1562C5C770441885015DD,SHA256=8E65E6BA552E8D207D7521D974EC4AEA48CCBDCB7EB5FEC9042548D1CA26B74B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022942Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:44.739{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61920-false10.0.1.12-8000- 23542300x800000000000000022941Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:48.069{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61AC19A883560EA5D865582AE1D1C1F2,SHA256=6EA543DED18916BC04A56594D528A6D9B281335F9897AED0682494230DEED204,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007386Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:48.419{49C67628-01BC-615C-4B01-00000000FC01}19362004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007385Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:48.278{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-01BC-615C-4B01-00000000FC01}1936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007384Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:48.278{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007383Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:48.278{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007382Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:48.278{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007381Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:48.278{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007380Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:48.278{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007379Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:48.278{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007378Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:48.278{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007377Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:48.278{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007376Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:48.278{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007375Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:48.278{49C67628-FDEB-615B-0500-00000000FC01}4161032C:\Windows\system32\csrss.exe{49C67628-01BC-615C-4B01-00000000FC01}1936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007374Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:48.278{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-01BC-615C-4B01-00000000FC01}1936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007373Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:48.279{49C67628-01BC-615C-4B01-00000000FC01}1936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007416Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:49.950{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=377EAD962CF08B5EFFEB78969B1A9F71,SHA256=BB21F7A79A56A62164F8CB83D3F69E4CAEFB523CA4A27C44BF6F83B8EE6A7F20,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022950Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:47.040{6EDEAD03-FC18-615B-0100-00000000FB01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local61923-truefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local445microsoft-ds 354300x800000000000000022949Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:47.040{6EDEAD03-FC18-615B-0100-00000000FB01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local61923-truefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local445microsoft-ds 354300x800000000000000022948Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:46.937{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:2c9d:2f3c:f5ff:fef1win-dc-676.attackrange.local61922-true2001:0:2851:782c:2c9d:2f3c:f5ff:fef1win-dc-676.attackrange.local389ldap 354300x800000000000000022947Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:46.937{6EDEAD03-FC1D-615B-1600-00000000FB01}1288C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:2c9d:2f3c:f5ff:fef1win-dc-676.attackrange.local61922-true2001:0:2851:782c:2c9d:2f3c:f5ff:fef1win-dc-676.attackrange.local389ldap 354300x800000000000000022946Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:46.930{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local61921-truefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local389ldap 354300x800000000000000022945Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:46.930{6EDEAD03-FC1D-615B-1600-00000000FB01}1288C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local61921-truefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local389ldap 23542300x800000000000000022944Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:49.069{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3D7C9C4FCDAC3FEBCE2EA75666CBAAF,SHA256=29DBFCE6ACAF41B177742403E64B763C5F7C87AF2D4EF9CAF53CBFF0B86D9ACD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007415Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:49.763{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-01BD-615C-4D01-00000000FC01}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007414Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:49.763{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007413Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:49.763{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007412Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:49.763{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007411Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:49.763{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007410Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:49.763{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007409Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:49.763{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007408Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:49.763{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007407Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:49.763{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007406Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:49.763{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007405Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:49.763{49C67628-FDEB-615B-0500-00000000FC01}416532C:\Windows\system32\csrss.exe{49C67628-01BD-615C-4D01-00000000FC01}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007404Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:49.763{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-01BD-615C-4D01-00000000FC01}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007403Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:49.763{49C67628-01BD-615C-4D01-00000000FC01}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007402Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:49.294{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B74B894134472169437C8CD90C7C53B9,SHA256=096A42912E5F4F59574754149F4691E9E4898DA2D57ADB3D6411F99FE160C0A8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007401Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:49.169{49C67628-01BC-615C-4C01-00000000FC01}31042336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007418Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:50.950{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F7E8E4D74D3699C2B13A60D97FA61C2,SHA256=3A57922EDBB9C27C74729D55B158F3167A8496EA115A0B19CA0F65517D589144,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022952Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:50.382{6EDEAD03-FC1D-615B-1200-00000000FB01}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=4FB2913D535D48E32BE2E974F5A7E682,SHA256=C201D2B1B5C9409C91BD39C2D5DD736C17061F48F1EB667DCF89764A8CD211E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022951Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:50.085{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=898FE77D17E813C2CA814AB476F92A4C,SHA256=CB0CE6B55E1F09F780C6B7AEEA154471B1D24261FAD443F1DEFBAEEC16AFDC6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007417Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:50.778{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C2AD77B223A83255E8E33997584E3E8F,SHA256=A3BC231F3751F1956F68927882CE2E77F221C2E777E40731B051373125861DF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022953Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:51.132{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31E35DCB2B225923CDB038A2A2EC5F33,SHA256=52A48D175489274BC3417EFA6437C9FA8AF41187B74BD0DD5684F5C011825C07,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000007419Microsoft-Windows-Sysmon/Operationalwin-host-340-SetValue2021-10-05 07:41:51.997{49C67628-FDEC-615B-1500-00000000FC01}104C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b9bc-0x76458415) 23542300x800000000000000022954Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:52.179{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=156D09E06F654D50F6217A16EE2527DD,SHA256=5F21AB3018F2847BA28A0FB9EDB5F10E26F0902451075270D8DC4D724AA23017,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007420Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:52.091{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3B6E0E6DDFEA8B87097BFDC09115CF3,SHA256=73A67CFEB59CA764676389860032C7D68A04F1D395377539496BF680AFF0715D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022956Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:50.723{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61924-false10.0.1.12-8000- 23542300x800000000000000022955Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:53.210{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93C640BFE9A66791E00E1F5AB13A398A,SHA256=8BD5A1BD5F87697A19DEFCFD3A95E6137127EC76AB8AE1D7FF4B1174E523AC6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007421Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:53.231{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88E469754329B058BE89E371D817A84D,SHA256=E34D7DE8FCE77A10351A9987ECF593AEE4CA7810AFAE4343EF53322DCC775193,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007423Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:54.372{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=606281B0422C5B7C2E0A17B26A17D558,SHA256=3179F2E43689CC41CE34125AF5E857DA3721FB5CF861858AA529458ED854C269,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022957Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:54.241{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA7E2485EC18DE160F51C47F19528695,SHA256=5C1769B303D54ED3150CA620269712F2B9144AF88C471D9FDB1CDC9729C715AC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007422Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:51.138{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49886-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000007424Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:55.481{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78EDE898D1195F9EE17E5F33CADAE3FA,SHA256=D6196B0D9A0BD4BC55FBCC23790515945EF95F98655F1698A5219FDFDD74D95C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022958Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:55.257{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=875666FC0CE6E6AAF8DE4A930E2B45BD,SHA256=3C0BF53932E021EEA4B5386161C997814C60BAA0BCB4C90C02E797743731D1EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007425Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:56.513{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9CB9285092F57C73664770A64AF6968,SHA256=57CEBC24043D79FD436F0AA8FE7612C4FCB9FFEE6BAC007BA897D3BC6DDC7531,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022959Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:56.288{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38CB8667A69699F897B8776337966093,SHA256=DED7D0ABAA760249EDC9D937B558C923CEA16421A12FEDFD2D1CF4A36E6F9434,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022960Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:57.523{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFDBEDAC5CA8D70470630F401FB72119,SHA256=C1B03EABB9744BB56D771FEE2C0E8CAA68EB9CE6EF68F2C9459B870F23DBA41B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007427Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:57.560{49C67628-FDEC-615B-1F00-00000000FC01}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04b3958ebc31dc11b\channels\health\respondent-20211005072534-015MD5=9DBD3CF651CAD1963D7DD9E70795396E,SHA256=D00FE5240C0E39CC33FD8ADFFDA13197E8833401D0A3D05F731F6A79B8E00229,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007426Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:57.527{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4CE18624F2E25385175E7322814A589,SHA256=775C4FF8DC2AA967F9E14EE863B5B8E7DBCF1EF025776E5F6A4A92E428BD7C73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022961Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:58.539{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=934DB9EC229E4711FC5BA3F786338440,SHA256=4570BF08F3EA15DDD74C529ADA3749F87C80D5929B5522725FC3465CAB2D6332,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007430Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:58.573{49C67628-FDEC-615B-1F00-00000000FC01}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04b3958ebc31dc11b\channels\health\surveyor-20211005072532-016MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007429Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:58.541{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B41CDB9683CF09F6A614ACB95CD1C811,SHA256=BA012A75EEBE1DD7A3033FA305360BBB4240EF05576E6BD9BA751787A0539ECE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007428Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:56.201{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49887-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000022965Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:59.554{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E07E643ED02999EFD3B30C4984D9F6A1,SHA256=5AED4D23493F0C74DEF401FE6B978274F9F36591703D4433C9608776315DA714,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007431Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:41:59.542{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFBD315C08C736C93752BCD986313B93,SHA256=0B11CE404FD93D446F00AB903C64DFFC4BD15A48FD6387FACECA778B7152334F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022964Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:59.523{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=15423CFDCC287345BB1948C683DC1A95,SHA256=0610423D62CD721718F59B3CEC16D63B3B276794374D2299405C4B945DC39238,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022963Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:59.523{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6DF2AA67AA597A05F86B6640B0968901,SHA256=C2E35426A1A29468B31DCE6F2284B127B63F73A1D0FA612318E78CAD15B2B7A3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022962Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:41:56.661{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61925-false10.0.1.12-8000- 23542300x80000000000000007432Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:00.542{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3579F8A2C356CF3A944E93A14155294,SHA256=097E63EEBCF827615116CD3F10EA8642BFD0115583874F4E28BFF13F7D5C3883,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022966Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:00.570{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DC1447737051E6FD15E4AF1ED7E4589,SHA256=AC32385A946A028BCA16605B5C7E44878E105FD8DE3FE7251E8DA7576EFD64D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022967Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:01.617{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A98958BD01CD84D8895742758A53352,SHA256=D3954A1A14EE5769A4FA7550350131BBECF2C77BF74D15AC73F32BA1EA86C75B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007433Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:01.542{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0AD0BF5C7CFEEB8FA26102DE4E42160,SHA256=56AF377F49C05F87B6A4C272AFDE43F913EA0274B8951B6E7F0D2C1CDDCC1739,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022968Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:02.664{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE0EDC408421C326373D76C86D1D6A1E,SHA256=87D9A41DF48EA6EB586C2443BB79EA95AAA7AF8C0C5C5A1D7C27FC0EA97E5CF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007434Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:02.542{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5839D9513DFC39245A4EDFD25B661A50,SHA256=6EEFF40540C406ABB996C070E8A67C14BC1DE2D2A2536303954FB8756794BECC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022969Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:03.711{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4ABC473121D20308615E1E4CC885755,SHA256=ADA2F789BB024323D2091084C242D2171B6F4BD28D10855B28532327FBF86980,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007436Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:03.542{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B54300D851D685E9878BC70109513C02,SHA256=ECBF17495DB3DF46EA9A17D5FA2B69EE542345E772A29F3E588E82C62B3AEDB3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007435Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:02.184{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49888-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000022971Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:04.836{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBB85D57F5C0B3753BC61B2C3B5C6EFC,SHA256=270D30DBD0BC08BB14AD703CF983E2C26FF75FEF444D0FE5E54A968F15768A9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007437Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:04.542{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5986A37557A845A812DD645D888BD57E,SHA256=23ED1AF6CD37B706162F209173404241FC56D8E9747708ECF4C4B34099213CAE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022970Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:01.724{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61926-false10.0.1.12-8000- 23542300x800000000000000022972Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:05.867{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03E2DD15556EE26DBB0DE89FDFE78664,SHA256=8A27D97897FF7D04F31598301BBE468293DB9A06E56DB7313CE3D677CE5200AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007438Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:05.542{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62B72D6AB25612A61FB479322C9C82B1,SHA256=497B1AC895644C1F6DD7CC346E8F0E2CFE76BADEA62FC86AD2D56ABF5830D22E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022973Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:06.882{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3453C5ACF590124C8F9B6CC6D6357C89,SHA256=D2969A750A3B210B434EB202CB39291B822EB6FFCC8A9136B2ACC5815F4CF3CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007439Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:06.542{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D43A8C281C74F670E24B9791B0BEF026,SHA256=C1F2F22E08CB66B0A33CB07312A118F4BFDA1C3CF84C88A8C53C0874FE61266B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022974Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:07.929{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1CB9E86D4DC2153BD335A6F0B4FB1B5,SHA256=F69B7B9B0C002715BD87946627D3EB784ADE34FA358A15CA2A487A38E3FF5FF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007440Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:07.542{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C6287526388C684F47472BB7E29E4E2,SHA256=52BC20F32E84885C863E77428814ADF53D3BE0E28E73BE7ED1A4AF90CA3EB8B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022976Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:08.929{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69CB23BEAF47EC3DEEF1AA25F36DFF56,SHA256=EB8615298599C3FC190B3EE363F7BA636569B813706DAD94C09637AABCB19016,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007441Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:08.558{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12AAF7604211D9A8155E30984702C184,SHA256=4EDFDA63ABD283236BF93ABE3FB2000AB60B2BE1BA6D62A9B50C84641D876CA0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022975Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:08.617{6EDEAD03-FC1D-615B-0D00-00000000FB01}9082492C:\Windows\system32\svchost.exe{6EDEAD03-FC1D-615B-1600-00000000FB01}1288C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000022978Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:09.929{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=798F66BEB7E5CFA4E35AE2C34CA42981,SHA256=3B48E5904001883EBE87F67CA3E0E0E036E0C038A6152587ABDF1E94A58B033E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007443Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:07.246{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49889-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000007442Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:09.574{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BB6FD426DEF86DAE14BB7D4B9B871D6,SHA256=2B8EBAAB63A5AA91720A25BF1A12967AA028B5312F0F641A2804FE2ECDE70C83,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022977Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:06.771{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61927-false10.0.1.12-8000- 23542300x800000000000000022979Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:10.961{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D727BF92D0826AC7E4F05E6D35C8F49A,SHA256=65D215F3A9CB596FA76E42EB8EFA57024EE36A1D5721B542BEB5BFF4497C8F1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007444Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:10.574{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=881846332CF092E725AF00C8404E9630,SHA256=7E452D4671267A6F009248BE625CFF15A59BFCA185BBEDCE61E712A642672C11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022980Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:11.992{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D4A7CF7D8B78CDF46A520376D8A718E,SHA256=909642AD98A3EC016C85A14F8AB3126790285FCB05C6F598734F29DA6D970610,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007445Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:11.574{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FBD89628C0FDABE3B6C27CF91E63FBC,SHA256=52409CCCB65512A949CE8449425923B8CE0D2A3418BEA0F2FF4B4E8CC2B8E89E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007446Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:12.589{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B52F82C8C5CACDF44BEE99D844089E09,SHA256=C990BA61FA4BD7FA1DD253FC45974299F582132890CB1B1CEB78808AEC0C65DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007447Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:13.589{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=636DF44D02ABD61B170F0922F1D36D01,SHA256=08920177B1A4AC3F12531864A3DA3EE494ACED42AF0A51EA3CF12BCE740153BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022981Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:13.054{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D74C0587530C7488BB05DF601214257F,SHA256=6A92B5977328A9E33EBDD01A902CA8B1AC5A3C758ACB883E277D3D436E38332F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007449Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:14.605{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38E608095CE7C2836B7BCB95D760272F,SHA256=56EFE3B883B70FCE444E2CB8896A4380105DD40DD8B1C420FE556AF2038E4E5A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022983Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:12.630{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61928-false10.0.1.12-8000- 23542300x800000000000000022982Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:14.117{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0508B4496D311F3D72487B7D216F000,SHA256=DAC2149544531556C9EFFE479E23E6391507CE5BEC68A3F0DA600CFEDED30BBB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007448Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:13.152{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49890-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000007450Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:15.605{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B42CA93AED1AE21010583F27B7991D92,SHA256=4A9F5B017C48FBC76E9D978CE346E4030C220D48D83E39F86404857A027F4737,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022984Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:15.117{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB9FFE66FE90FB79FB49FD2B98EF20B8,SHA256=7038DAAC36431FF9A7026B5CC1A5211FA6F45281D5CF194C5ED57838F948550F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007451Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:16.605{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B95FF7C5024CD9FD57AE8B05E967801,SHA256=F56F4145BA7D3A10A55DC1CAA5939C5B67BB89B276C428D8EEEF0A4B7968B70A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022985Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:16.133{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=203B710D99EBAB6288FC29A5B255CF1A,SHA256=A4867EDAAE3D6BD47046B43E04D4565EC0BA3DAC46CB990E11C895ECDD960ED8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007452Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:17.615{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABEACE60522FE5A78ADC64013D484816,SHA256=6DEF93ECA4B66FA893A0E44479E20E817A97D6BFEA5CED5B90360442EEC59ED0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022990Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:15.912{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local61929-true0:0:0:0:0:0:0:1win-dc-676.attackrange.local389ldap 354300x800000000000000022989Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:15.912{6EDEAD03-FC2A-615B-2900-00000000FB01}2912C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local61929-true0:0:0:0:0:0:0:1win-dc-676.attackrange.local389ldap 23542300x800000000000000022988Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:17.517{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6547E263395EF18AA2082BAF82ADC2DF,SHA256=609D858556FB983ACCC3FA750BBAC6D7CB27E5E213E1C3E798807875E83D8740,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022987Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:17.517{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=15423CFDCC287345BB1948C683DC1A95,SHA256=0610423D62CD721718F59B3CEC16D63B3B276794374D2299405C4B945DC39238,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022986Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:17.148{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3695777CB02E3761417A5AFDA792406A,SHA256=9EE99E76E47BFE47FB2D91929A6E3421CF0BD283FD5DA4BFACB433391132E5B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007453Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:18.615{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=815595C564DB153BE39CD9CCEFC4C9E3,SHA256=9C84726228A737C6CE5194C213FCBCBFBA8E274606CF42AAC889E8E00C4C7931,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022991Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:18.158{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69B1E3541BC2623ED3A6D1299BE9081B,SHA256=CD6208D926165017EAD732E5FB6F6A77DEDAF4BEA3E2040A6F111FD2E633CF4C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007455Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:18.287{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49891-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000007454Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:19.630{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6AE433F5CD11972D4F314C9953DD182,SHA256=8B0187ADB654331DB52E6A79778D2F86E2E093A062F7FE1F8591635FED8B818B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022992Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:19.174{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4878A5CA34986EC71594297A48CEAB3E,SHA256=4573F171EE03D122B02160D5055199B89C0C51A84A4AF8C3BC9903BB60BF6F2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007456Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:20.630{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DD73F8BBE46A38A2DD957E03AFF671F,SHA256=C44B97DC86FCE14F3159E95591BED40E6EB3C7B84B89F1A90FF058F0B40566A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022993Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:20.189{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA680FF84AC2A8000F5D939071492A94,SHA256=72EA661EB87E627FDF47B7B3214F0A242C59F6FBFD1C5FFE002A65A4709BBBD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007457Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:21.646{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C620DC6BD15F503CF4AC7B3B0974D57,SHA256=CE1A1BEE7CDBF306BEFEB7660D584CA964BB2D84A6E35B64471733F0071BADE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022995Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:21.205{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=141BB65E11A5228642F882D0903EBB71,SHA256=1E0B94BA620EB21EEC6F2CC74A815798D32C5F76C79CAD3D62BAFD5931B5770C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022994Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:17.859{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61930-false10.0.1.12-8000- 23542300x80000000000000007458Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:22.646{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2D7C99EA2A1861913EEF3749C11B8FE,SHA256=7311B898CA32DFF8CB77E9DD364ED9A6274288D36F8B98B52335FFC85A35D215,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022996Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:22.424{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D86A06B446925B3CE880001E8F34C2B2,SHA256=1CF84E64C05DCF58E65786E20A9FBF56AD8F9C60DA0CE471D3F944BE914C6D2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007459Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:23.646{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8139536FDAF8948D3F8D0E77CA34836D,SHA256=C746D297D53C32851141A50F1864499565DEF63794C98CFD3944FBFB1AC31B8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022997Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:23.502{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D7787C2DDBC351377E64BE9676A0791,SHA256=98A790AF86562F4D15BE626DADCC53FF7586827C80EF36DA14B15D90ACCB6A12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022998Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:24.720{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB558B1642D0CDC986021BE23DDBB5F8,SHA256=BB9E1F4F1CFE02FDB3D7B634DA2639405EA6C9023C71C5F1DFAEB329577D137B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007460Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:24.646{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=652E0F5F9CC89748F6E9EFDD0E9A1977,SHA256=04691CAFB135B4A6EC8A095E5EB3136ADA93789C72E44B10CF2D4D5DD4807E55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022999Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:25.736{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F454813DD04E1CA50088A51A179EBF09,SHA256=5935783AE8FB3D06C688BB106DB0278E4CBD19820848C174D86C3C7812CD00EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007461Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:25.662{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1985823034022D776706CC50836226BB,SHA256=ACE183811FCE90AB26617A9CC5702E802AC45483D23A4AE8A5CB259ACA52D9C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007463Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:26.662{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8601BA12B7EA7224D901896C75F30D9,SHA256=EE9C51E73BFCA8A0B7AE8694FA4009DCA0646C6FA6869CD22EB728284DF616CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023000Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:26.955{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3967DB551F5C7C3C409A97F11A74E395,SHA256=909D638901039D85CAF7ED0F34E8F1D3C1312939ED5A80691B35449F53F997AE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007462Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:24.194{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49892-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000007464Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:27.662{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17E6CA55EDC1CCC1CCE335229475F8D0,SHA256=37015D33D5BEDEBB106E7A6CC31F3B71CA5B770E37DF62E523D80DCE53B7370A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023002Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:27.955{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB91E425951AC4C37E62FD8D4583C7A9,SHA256=A2A595C150F7CABA7A6F25F3104389D7E87270CFE8CF02918B40319070AF45EF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023001Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:23.609{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61931-false10.0.1.12-8000- 23542300x800000000000000023003Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:28.986{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE868D864EEA6A4BCB915F253E9FC88D,SHA256=F86FA7AF8A64E757715B23B587839883B6D02F233E43D6D23F87D859104954C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007465Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:28.662{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3506243B40DD1689CB3165834FDB42EC,SHA256=9069A52878856A74D85C031B92B6930FF4FDB4E963AB5807B3D3FC498569775B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007466Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:29.677{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DC05C885C2F261B881D8601D2D48C2E,SHA256=E5230FEB5B935FCCC5591A1CD98D7D922D38091D5448290BBA78A3F3542FB285,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007467Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:30.693{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42017033F80F608CE5D092E481E951DA,SHA256=5A4184AC37DAA117CE598B10A55776FD95ED4209C647859C8D42E6CCB875F5A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023004Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:30.002{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2019A535425861A28E25FD045C15688A,SHA256=B87F2FBFD1863B20B914EDE1E2C8E286B506530505698FC7608820DC8D01801D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007469Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:31.693{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE4B4FFBD823913152BD47D213571345,SHA256=789FFB74594BA3A2002693E3EF7BC55A344A0B0223B6EBC916EC1437034B04FC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023006Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:28.624{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61932-false10.0.1.12-8000- 23542300x800000000000000023005Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:31.017{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8675464BE9BE897FF929CDBE86BC6FD,SHA256=FBC41459818FA04BD52DB92AFB813D8B07F374A506A1EE1041A0895360248476,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007468Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:29.241{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49893-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000007471Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:32.693{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8C4833580844A5892565CB976BDBCE5,SHA256=634861A54C9084DDAED2ECF80E7959B393506089034751A27E4F1C95447005E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007470Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:32.162{49C67628-FDEB-615B-1100-00000000FC01}964NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=A0D08CD1878B487062A3E75B21323B49,SHA256=4D1149B9194546E706E07C204F1D3B9819ECE63027EB64C8C04F4DAB37C4F47C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023007Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:32.127{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=094A542702FEB704350F740609EC48E4,SHA256=CA2EA3666619B92C985DD3C13BF17258923BDF632EBAB8E3083EF4E76C35609B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007472Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:33.708{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EBA17DE6AFD2E1CC632A0123AEFC35A,SHA256=8CEC0A50A7286399DC6A98B5F942D73661256DA680A311385F49F741435D12EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023008Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:33.127{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3FADD184F4E116ABAAB6C00CE5F7349,SHA256=4CB01135A119115FCA9F010C54E598B1D5CFF18EB6B76B1C4BD0229AC694D136,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007476Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:34.708{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E2A193C0A79BE706878E1A3767B2C87,SHA256=71FF4E0786926ECB07226514B19EF5F279DA3B6EB2EC5E8F7C30151F15073CD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023009Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:34.189{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68126876DFB2CE87F2060B955760E15A,SHA256=824CA8A91430A4D24A7870052B454B5A5CACDF2AEF6C2B3AF0CF0C98BE414AA7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007475Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:34.630{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-1300-00000000FC01}684C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007474Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:34.630{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-1300-00000000FC01}684C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007473Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:34.630{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-1300-00000000FC01}684C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007477Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:35.708{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79529F697B7A8A97CB5ABC9FFA3C36B6,SHA256=6B6140436016E84093A1C034288959EB405E1E136962E53BB232AAB15D7F32FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023010Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:35.221{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F695AFC2F70EE4B1159F26CF8FDE580,SHA256=80DB6576A27EFF72FB79C0732945F310BB4DC4208B39888B88F89FF96D9D3573,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007479Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:36.708{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0DF0B633C0E35733DD6CAA3C5EF9DF2,SHA256=B2316DB0B01638686A3A7DA9F10E75FFE42F07A58C2EEE98009AD1EB6879A962,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023012Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:33.735{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61933-false10.0.1.12-8000- 23542300x800000000000000023011Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:36.283{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4CA8AD843DF2E1AE13CB7C2AB136291,SHA256=8C656B53A454136CC4EB9ACDABBF7CB78E1B8E5FA705540E2B0850A9F8A3439F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007478Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:35.116{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49894-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000007480Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:37.708{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E592FC05BBAD79A26615602F541955B,SHA256=D061FB50B87A54B588D5A8A671211938451EAB778534ED0A47250F53E93C99DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023013Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:37.533{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5E2A25713C2465DC05C2A733A1D6909,SHA256=24CBCC0AAF542E79FC4FF26A304943C2554101B938C35D587DA97FE60A39B6FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007481Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:38.708{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3206CD7462A6FD386C9B55124E2537A6,SHA256=5620D29BCD4029E1A0969030A31C5314200FC9D1162A7DFE29E29DC9308E3C0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023044Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:38.736{6EDEAD03-FCBF-615B-AF00-00000000FB01}416NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=77A3FAE6E3D081057742F67BE17D48F0,SHA256=B45196262D41012541FDA928C2D6D89C531ACA10A8054FE8E2047913CDE27561,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023043Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:38.674{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6E-615B-2103-00000000FB01}5980C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023042Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:38.674{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6E-615B-2103-00000000FB01}5980C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023041Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:38.674{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6E-615B-2103-00000000FB01}5980C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023040Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:38.674{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6E-615B-2103-00000000FB01}5980C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023039Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:38.674{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6E-615B-2103-00000000FB01}5980C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023038Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:38.674{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6E-615B-2103-00000000FB01}5980C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023037Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:38.674{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6E-615B-2103-00000000FB01}5980C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023036Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:38.674{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6E-615B-2103-00000000FB01}5980C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023035Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:38.674{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2700-00000000FB01}2896C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023034Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:38.674{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2700-00000000FB01}2896C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023033Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:38.674{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023032Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:38.674{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023031Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:38.674{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023030Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:38.674{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023029Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:38.674{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023028Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:38.674{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023027Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:38.674{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023026Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:38.674{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023025Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:38.674{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023024Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:38.674{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023023Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:38.674{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023022Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:38.674{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023021Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:38.674{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023020Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:38.674{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023019Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:38.674{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023018Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:38.674{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023017Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:38.674{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023016Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:38.674{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023015Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:38.674{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000023014Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:38.611{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F0A86B754C277932759DBFA4E75118D,SHA256=C6DD52CE255D6DA5F7B3788BCF0ECF41E9F2F35AC1BC57E0E9E4D87EFC944CC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023045Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:39.987{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B59D8761C17E71ACE9CCF76B424BCC7A,SHA256=630531734EF10EED9D6E90603D887B0E78E3E23A99C42DD82DCC6704681F84AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007482Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:39.708{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE83BA9AD086789BD005F476C1E23A69,SHA256=3015C57708A0AC78BC4DBF244686E9C5FEC31B8162B40F7BB8E86B4E3F4595E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007483Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:40.708{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=678B93B304968677BB3C32EAB9F698B2,SHA256=8E055DE6477A4F2630751F0250CA59C7DD1BFBFD8A06079BA3656F0328C5ADFF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023055Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:38.327{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61934-false10.0.1.12-8089- 23542300x800000000000000023054Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:40.420{6EDEAD03-FC2A-615B-3000-00000000FB01}2280NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00ade5b11017bd16f\channels\health\respondent-20211005071805-023MD5=AA6F78CCC35FD74424B933C975A9F779,SHA256=482DFC86E7C4A11E76E3E352EB64B396C84C083D9F57F37823883232EC55A225,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023053Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:40.347{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-01F0-615C-1A05-00000000FB01}5988C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023052Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:40.347{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023051Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:40.347{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023050Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:40.347{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023049Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:40.347{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023048Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:40.347{6EDEAD03-FC1A-615B-0500-00000000FB01}412528C:\Windows\system32\csrss.exe{6EDEAD03-01F0-615C-1A05-00000000FB01}5988C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023047Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:40.347{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-01F0-615C-1A05-00000000FB01}5988C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000023046Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:40.348{6EDEAD03-01F0-615C-1A05-00000000FB01}5988C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007484Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:41.709{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7B260BC2E319E03A542E158C7604974,SHA256=E24B9EB9C8CB0E8B4DA5E734EC6AF3B3D190338F5684423A70FF04892339948B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023077Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:41.691{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-01F1-615C-1C05-00000000FB01}5660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023076Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:41.691{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023075Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:41.691{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023074Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:41.691{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023073Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:41.691{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023072Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:41.691{6EDEAD03-FC1A-615B-0500-00000000FB01}412528C:\Windows\system32\csrss.exe{6EDEAD03-01F1-615C-1C05-00000000FB01}5660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023071Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:41.691{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-01F1-615C-1C05-00000000FB01}5660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000023070Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:41.692{6EDEAD03-01F1-615C-1C05-00000000FB01}5660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000023069Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:41.397{6EDEAD03-FC2A-615B-3000-00000000FB01}2280NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00ade5b11017bd16f\channels\health\surveyor-20211005071802-024MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023068Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:41.349{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E100FD3B1569A7D36DF6549DB48C47BF,SHA256=0681F13C36949D9CB297DC807489561D70BBC55887C9E5971DCF7C2CE740BD83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023067Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:41.349{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6547E263395EF18AA2082BAF82ADC2DF,SHA256=609D858556FB983ACCC3FA750BBAC6D7CB27E5E213E1C3E798807875E83D8740,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023066Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:38.858{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61935-false10.0.1.12-8000- 10341000x800000000000000023065Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:41.177{6EDEAD03-01F1-615C-1B05-00000000FB01}63605044C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023064Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:41.021{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-01F1-615C-1B05-00000000FB01}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023063Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:41.021{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023062Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:41.021{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023061Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:41.021{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023060Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:41.021{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023059Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:41.021{6EDEAD03-FC1A-615B-0500-00000000FB01}412528C:\Windows\system32\csrss.exe{6EDEAD03-01F1-615C-1B05-00000000FB01}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023058Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:41.021{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-01F1-615C-1B05-00000000FB01}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000023057Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:41.021{6EDEAD03-01F1-615C-1B05-00000000FB01}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000023056Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:41.005{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E8491E8F174C7E79A51F854B219FD62,SHA256=F7C7A55F100714BD590EFEB585054E646C74AA52C2837517DE970DF1CBA875AE,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000007495Microsoft-Windows-Sysmon/Operationalwin-host-340-SetValue2021-10-05 07:42:42.802{49C67628-FDEB-615B-0B00-00000000FC01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000007494Microsoft-Windows-Sysmon/Operationalwin-host-340-SetValue2021-10-05 07:42:42.802{49C67628-FDEB-615B-0B00-00000000FC01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x000fc932) 13241300x80000000000000007493Microsoft-Windows-Sysmon/Operationalwin-host-340-SetValue2021-10-05 07:42:42.802{49C67628-FDEB-615B-0B00-00000000FC01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b9b4-0x324194a4) 13241300x80000000000000007492Microsoft-Windows-Sysmon/Operationalwin-host-340-SetValue2021-10-05 07:42:42.802{49C67628-FDEB-615B-0B00-00000000FC01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b9bc-0x9405fca4) 13241300x80000000000000007491Microsoft-Windows-Sysmon/Operationalwin-host-340-SetValue2021-10-05 07:42:42.802{49C67628-FDEB-615B-0B00-00000000FC01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b9c4-0xf5ca64a4) 13241300x80000000000000007490Microsoft-Windows-Sysmon/Operationalwin-host-340-SetValue2021-10-05 07:42:42.802{49C67628-FDEB-615B-0B00-00000000FC01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000007489Microsoft-Windows-Sysmon/Operationalwin-host-340-SetValue2021-10-05 07:42:42.802{49C67628-FDEB-615B-0B00-00000000FC01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x000fc932) 13241300x80000000000000007488Microsoft-Windows-Sysmon/Operationalwin-host-340-SetValue2021-10-05 07:42:42.802{49C67628-FDEB-615B-0B00-00000000FC01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b9b4-0x324194a4) 13241300x80000000000000007487Microsoft-Windows-Sysmon/Operationalwin-host-340-SetValue2021-10-05 07:42:42.802{49C67628-FDEB-615B-0B00-00000000FC01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b9bc-0x9405fca4) 13241300x80000000000000007486Microsoft-Windows-Sysmon/Operationalwin-host-340-SetValue2021-10-05 07:42:42.802{49C67628-FDEB-615B-0B00-00000000FC01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b9c4-0xf5ca64a4) 23542300x80000000000000007485Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:42.724{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0ECD7C54B0F38F0E452E9A0CDBD417D,SHA256=8E505455E80C30CED59A69DE733DC0A1A5DA1183C7B38573BDD4A242D182882F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023088Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:42.741{6EDEAD03-01F2-615C-1D05-00000000FB01}46126388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000023087Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:42.725{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E100FD3B1569A7D36DF6549DB48C47BF,SHA256=0681F13C36949D9CB297DC807489561D70BBC55887C9E5971DCF7C2CE740BD83,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023086Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:42.569{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-01F2-615C-1D05-00000000FB01}4612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023085Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:42.569{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023084Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:42.569{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023083Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:42.569{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023082Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:42.569{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023081Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:42.569{6EDEAD03-FC1A-615B-0500-00000000FB01}412528C:\Windows\system32\csrss.exe{6EDEAD03-01F2-615C-1D05-00000000FB01}4612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023080Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:42.569{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-01F2-615C-1D05-00000000FB01}4612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000023079Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:42.570{6EDEAD03-01F2-615C-1D05-00000000FB01}4612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000023078Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:42.022{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20CD55F909F9B7956E97CC76478315AE,SHA256=AA60B173BEF7D1AFF89363FE05210FD3D63488F92CC3FDA2EDA8B6DA4D5F33E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007498Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:43.724{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE0CD941341DE8043F3D9156831CD1CB,SHA256=A92B9817F3F7A3B74C0C17AD81FFA30E6CE5E134E422743067A50F7D379C4510,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000023099Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:42:43.929{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXEHKU\S-1-5-21-1984405510-3441252591-1346373189-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{99D353BC-C813-41EC-8F28-EAE61E702E57} {A08CE4D0-FA25-44AB-B57C-C7B1C323E0B9} 0xFFFFBinary Data 10341000x800000000000000023098Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:43.272{6EDEAD03-01F3-615C-1E05-00000000FB01}51686484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023097Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:43.101{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-01F3-615C-1E05-00000000FB01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023096Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:43.101{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023095Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:43.101{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023094Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:43.101{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023093Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:43.101{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023092Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:43.101{6EDEAD03-FC1A-615B-0500-00000000FB01}4122304C:\Windows\system32\csrss.exe{6EDEAD03-01F3-615C-1E05-00000000FB01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023091Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:43.101{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-01F3-615C-1E05-00000000FB01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000023090Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:43.102{6EDEAD03-01F3-615C-1E05-00000000FB01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000023089Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:43.069{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E4BF9EB8EB8947EA1AEA4F3DD0A0565,SHA256=84679E81CB688A264D51E87EE5C1130F424222562D31417D76774AEA47687306,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007497Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:41.069{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49895-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000007496Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:43.037{49C67628-FE68-615B-9F00-00000000FC01}1772NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=77A3FAE6E3D081057742F67BE17D48F0,SHA256=B45196262D41012541FDA928C2D6D89C531ACA10A8054FE8E2047913CDE27561,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007513Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:44.787{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-01F4-615C-4E01-00000000FC01}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007512Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:44.787{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007511Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:44.787{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007510Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:44.787{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007509Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:44.787{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007508Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:44.787{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007507Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:44.787{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007506Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:44.787{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007505Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:44.787{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007504Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:44.787{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007503Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:44.787{49C67628-FDEB-615B-0500-00000000FC01}4161032C:\Windows\system32\csrss.exe{49C67628-01F4-615C-4E01-00000000FC01}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007502Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:44.787{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-01F4-615C-4E01-00000000FC01}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007501Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:44.788{49C67628-01F4-615C-4E01-00000000FC01}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007500Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:44.740{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00F357B0E44F03A6BE77A96A88184A06,SHA256=372A07F171825745F46FC88125D7BA5A5F9DBE49831C90EF3D76B8C03F0E515A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023125Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:44.726{6EDEAD03-FF62-615B-F802-00000000FB01}50525772C:\Windows\Explorer.EXE{6EDEAD03-011D-615C-0205-00000000FB01}5428C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023124Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:44.726{6EDEAD03-FF62-615B-F802-00000000FB01}50525772C:\Windows\Explorer.EXE{6EDEAD03-011D-615C-0205-00000000FB01}5428C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023123Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:44.726{6EDEAD03-FF62-615B-F802-00000000FB01}50525772C:\Windows\Explorer.EXE{6EDEAD03-011D-615C-0205-00000000FB01}5428C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023122Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:44.726{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-011D-615C-0305-00000000FB01}5740C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023121Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:44.726{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-011D-615C-0305-00000000FB01}5740C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023120Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:44.726{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-011D-615C-0305-00000000FB01}5740C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023119Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:44.726{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-011D-615C-0305-00000000FB01}5740C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023118Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:44.710{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-01F4-615C-2005-00000000FB01}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023117Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:44.710{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023116Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:44.710{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023115Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:44.710{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023114Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:44.710{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023113Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:44.710{6EDEAD03-FC1A-615B-0500-00000000FB01}412528C:\Windows\system32\csrss.exe{6EDEAD03-01F4-615C-2005-00000000FB01}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023112Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:44.710{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-01F4-615C-2005-00000000FB01}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000023111Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:44.711{6EDEAD03-01F4-615C-2005-00000000FB01}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000023110Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:44.210{6EDEAD03-01F4-615C-1F05-00000000FB01}66846456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000023109Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:44.101{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D22D4DB00F4F9CED935A4F7161688974,SHA256=6A49C9D9177BE19A7A55A1CF4B64C952AFF9B3D94D7827BCA33BF4C0FD67F190,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023108Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:44.085{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCAE90580AE6BC79AD6613DD3CA27D07,SHA256=CFB9554E3B02F291D8F267F1AFCF98AFD65B52D9D563433705785E0280618E54,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007499Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:43.053{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49896-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 10341000x800000000000000023107Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:44.038{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-01F4-615C-1F05-00000000FB01}6684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023106Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:44.038{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023105Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:44.038{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023104Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:44.038{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023103Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:44.038{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023102Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:44.038{6EDEAD03-FC1A-615B-0500-00000000FB01}412428C:\Windows\system32\csrss.exe{6EDEAD03-01F4-615C-1F05-00000000FB01}6684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023101Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:44.038{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-01F4-615C-1F05-00000000FB01}6684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000023100Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:44.039{6EDEAD03-01F4-615C-1F05-00000000FB01}6684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007530Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:45.927{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=315FD5871797ED232994D5EDB23CE238,SHA256=DB137BE8A0A958E51867C85DC07D6C657B234F45E60E5A809060E1699E538BD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007529Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:45.927{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86CC0F560546A8C68A4F9AC41058D9E3,SHA256=391E8FA7993C8A39C1562EB2CDD976AA264F5AC147C8985E6807040B36F2032F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007528Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:45.927{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C8A09C14EDEC40FDAAE3C88DD43B1ADF,SHA256=2F52DAF5D922419CF4B6538BACF216A96AC1F272810D0D23B44867803D799D11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023127Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:45.788{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7FF6BF36A70671A58400DF23F9B33DD4,SHA256=11CD5F062F099F4E049F09215C6CB7957F6D7B28FC8C03970843D75E50FDA4C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023126Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:45.226{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F164631F6F0A8EE79E56A225A4F216A,SHA256=2017F89F5EC5BC1138FB96565E276AA368AFDCBA4C38FF73D1CFC1C87B687898,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007527Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:45.615{49C67628-01F5-615C-4F01-00000000FC01}26203204C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007526Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:45.458{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-01F5-615C-4F01-00000000FC01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007525Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:45.458{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007524Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:45.458{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007523Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:45.458{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007522Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:45.458{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007521Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:45.458{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007520Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:45.458{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007519Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:45.458{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007518Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:45.458{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007517Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:45.458{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007516Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:45.458{49C67628-FDEB-615B-0500-00000000FC01}416532C:\Windows\system32\csrss.exe{49C67628-01F5-615C-4F01-00000000FC01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007515Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:45.458{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-01F5-615C-4F01-00000000FC01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007514Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:45.459{49C67628-01F5-615C-4F01-00000000FC01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007544Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:46.990{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A43AEA3AE9447F37F844640CF1A2B732,SHA256=4471BFDE312E96D49D8EB2AEBB3E2242D8ABB8E8A04F2C457FECD5F6D3348EE6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023129Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:44.832{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61936-false10.0.1.12-8000- 23542300x800000000000000023128Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:46.241{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C9C41D8B077F4B36BA4BA33DAE723EE,SHA256=52C3BE991A1EAE13C728D33B6B733EA88CC369BC6FBD490A423A3D0780796896,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007543Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:46.130{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-01F6-615C-5001-00000000FC01}648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007542Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:46.130{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007541Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:46.130{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007540Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:46.130{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007539Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:46.130{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007538Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:46.130{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007537Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:46.130{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007536Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:46.130{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007535Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:46.130{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007534Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:46.130{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007533Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:46.130{49C67628-FDEB-615B-0500-00000000FC01}4161032C:\Windows\system32\csrss.exe{49C67628-01F6-615C-5001-00000000FC01}648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007532Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:46.130{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-01F6-615C-5001-00000000FC01}648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007531Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:46.131{49C67628-01F6-615C-5001-00000000FC01}648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000023130Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:47.241{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB1A291C0992EC5831C2D8C1C1240BDB,SHA256=159CD82DDB1ED99EA463FE670F760F276B3AB4632118BC550E65F4853EF7635B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007559Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:47.255{49C67628-01F7-615C-5101-00000000FC01}28523092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007558Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:47.162{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=315FD5871797ED232994D5EDB23CE238,SHA256=DB137BE8A0A958E51867C85DC07D6C657B234F45E60E5A809060E1699E538BD4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007557Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:47.068{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-01F7-615C-5101-00000000FC01}2852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007556Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:47.068{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007555Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:47.068{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007554Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:47.068{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007553Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:47.068{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007552Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:47.068{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007551Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:47.068{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007550Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:47.068{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007549Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:47.068{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007548Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:47.068{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007547Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:47.068{49C67628-FDEB-615B-0500-00000000FC01}4161032C:\Windows\system32\csrss.exe{49C67628-01F7-615C-5101-00000000FC01}2852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007546Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:47.068{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-01F7-615C-5101-00000000FC01}2852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007545Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:47.069{49C67628-01F7-615C-5101-00000000FC01}2852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000023131Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:48.257{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=103FFCE656E40338A1916B572A405CA0,SHA256=6BA3D76B7BA9331D4BAD089B827067043F4EBEFD95CD8C9366A2A42D04A74F0A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007588Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:48.974{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-01F8-615C-5301-00000000FC01}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007587Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:48.974{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007586Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:48.974{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007585Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:48.974{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007584Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:48.974{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007583Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:48.974{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007582Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:48.974{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007581Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:48.974{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007580Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:48.974{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007579Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:48.974{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007578Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:48.974{49C67628-FDEB-615B-0500-00000000FC01}416532C:\Windows\system32\csrss.exe{49C67628-01F8-615C-5301-00000000FC01}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007577Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:48.974{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-01F8-615C-5301-00000000FC01}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007576Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:48.975{49C67628-01F8-615C-5301-00000000FC01}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000007575Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:46.178{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49897-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000007574Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:48.474{49C67628-01F8-615C-5201-00000000FC01}29043272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007573Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:48.302{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-01F8-615C-5201-00000000FC01}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007572Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:48.302{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007571Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:48.302{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007570Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:48.302{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007569Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:48.302{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007568Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:48.302{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007567Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:48.302{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007566Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:48.302{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007565Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:48.302{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007564Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:48.302{49C67628-FDEB-615B-0500-00000000FC01}4161032C:\Windows\system32\csrss.exe{49C67628-01F8-615C-5201-00000000FC01}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007563Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:48.302{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007562Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:48.302{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-01F8-615C-5201-00000000FC01}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007561Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:48.303{49C67628-01F8-615C-5201-00000000FC01}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007560Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:48.208{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7EE424C4458D9893A8F4D58F941C3B4,SHA256=234AA4DB8E18A7DECFA8DDD0DD216DF293335B03B797CA29227C38D9D6A3E5D2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007604Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:49.771{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-01F9-615C-5401-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007603Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:49.771{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007602Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:49.771{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007601Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:49.771{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007600Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:49.771{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007599Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:49.771{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007598Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:49.771{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007597Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:49.771{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007596Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:49.771{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007595Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:49.771{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007594Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:49.771{49C67628-FDEB-615B-0500-00000000FC01}4161032C:\Windows\system32\csrss.exe{49C67628-01F9-615C-5401-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007593Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:49.771{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-01F9-615C-5401-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007592Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:49.772{49C67628-01F9-615C-5401-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007591Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:49.490{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF1F8D8405E9401555A21128D0944968,SHA256=52C884C8A537BCEA903107AD4DAF35CDB6878E69D5E8B5059637A3112A6DFB4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023132Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:49.272{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA40986E55F81CCC3D7675B73B5C7EEA,SHA256=816965C678BCA7375E7BDF96B97E4473EF845179AB8872E24349A72D045D76D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007590Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:49.302{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6E1A2268146312A5BB84DD4EF587A56E,SHA256=5C42B327E0D4621694EE0908B56E37E9699EE94931B28062CF5CE8E25DB57F31,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007589Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:49.177{49C67628-01F8-615C-5301-00000000FC01}40761908C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007606Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:50.818{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BD39ED12C0D4ED3D400B9962E85706FA,SHA256=C6928DE9ADD185E42EF1B8C921A50E06CC64A4FA5859F12A7FCA293782841019,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007605Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:50.490{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=045E019178523A124BF2245639A781D4,SHA256=DFCE4CE35AF0298E2CB874FA7A2F6C4395E2A36A2E378B0CFDD46ED0863AE068,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023134Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:50.397{6EDEAD03-FC1D-615B-1200-00000000FB01}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=9FD548BB35018C1DA33D068EDF0B7D75,SHA256=E306532ED0B0289558FCD17B024F771EC1DAB2DC38D5DCA395C836312C5AED86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023133Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:50.272{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93C8BE4B051D4B3C87847E005C7AA34B,SHA256=75738F7AD283249719909EC62D303893ECB3FAD24A7E8E539A61D7987B997131,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007607Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:51.708{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D60DC41C9B2588AFF3DD63844004973,SHA256=262CE8F0ADEC14312C8A079C409B756DF6CDA894E5E3A4A295A67AB7A5594F21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023135Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:51.288{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C25708CF0C5CCEB0EB7D1581DCAE48C,SHA256=216185BC6EC5541ACA0EBA3D5D9F4317FB67CC799736523C0700B48C49D3F7B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007608Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:52.755{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FDCF9BE2314DFEB2D4370309623693E,SHA256=D8110F8381D8BC963DD48F2CF10BB5668D02DD16861DA0764FCC01ECBFD7295A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023136Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:52.304{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDD5F0B0894475A1C6B1085CE6D3BF0C,SHA256=277159591498F45E9BF45501B738844C2F12873F15CAA8DAFAB7DB897FBB1DCD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023138Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:50.785{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61937-false10.0.1.12-8000- 23542300x800000000000000023137Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:53.413{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE7A0C5B35FDEC5266F38E4C9CFE1B0B,SHA256=FCF908AEA5DD955B3D856F55B78E72631B7352C2474D21F0C6929CFA8FB08CB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007609Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:53.755{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7670FEEB0D856506D3DA6D3065DE2797,SHA256=4569DEF8FB5EDCF96009C6E38F7F86E6600D424DAFBA9F61E109CAD0739D6F09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023139Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:54.444{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D28FD245D378D2E167285A30C026CB66,SHA256=B30D9D1539BDE49DE0DFDF4581D1DB5DFA42F13573ADC3124DC6C00C716DFC24,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007611Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:52.084{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49898-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000007610Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:54.755{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE40CF3644D139CA6255FD3B6CECD850,SHA256=B017FA697089A57370D1B43DB735DEB989CC1331106BBEDF05E204114FD74492,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007612Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:55.755{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84BAAD6A9E2AD6102B8C933740EAB377,SHA256=C7A3649422CC8C6B1EDA83B60E0E09143865A8B5D005BF646BF81E100FCD4E2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023140Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:55.569{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91C787E0D9E8D7C04F08947A75AE69EB,SHA256=55D1DF8EFA17DF22458DDF9F34CEEF62890103446894AFF176612E0F542313F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023141Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:56.616{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B2797AF42A43EC0EB116F973092B7FB,SHA256=2AFB2D21E65D01FB36D3CE27A567A8D598C0D48FF0546E63A19BD9BB022D3038,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007613Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:56.755{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AA07C2C656D9296CB4095255A9694B7,SHA256=86B36D690D5682EAFCE326C777FF29D736316AFC5503B3E3E8BB2FE5C7A1C5BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023142Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:57.617{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC41255B00D0A9F269F988D34EF4544E,SHA256=43B12B11404124B7E8C4B28174994929FC4B030C1DF497BFEEB4746990CC1697,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007614Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:57.761{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=048E6013210FC009A850CA7FF01E089D,SHA256=53AF0AF058912266AD9C10868AFB81E2670EED9A9A32264DDDAC186822FBA61C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023143Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:58.758{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC2519E92831696BC030FE53D80958B2,SHA256=A9C6C9A7AEC667C3A29A72B18E4C068F04187DCFF5D6CA576F0D292F61C6C940,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007616Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:57.272{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49899-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000007615Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:58.762{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=788CD7E47DB5F6B078CE13AB241C1F12,SHA256=AFFF267B1CC7CCF9BD07CCF34A08AFB9AFF282498886B0124E744FE4211CF174,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023145Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:59.820{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=750ADB0043EA41932B4E4260FE0A4DB5,SHA256=2B0E024046AA0FF24D20AE6C7AB401359931DFEA7FB9DE5F8F8DD31921413076,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007618Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:59.772{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91D589557FB821D3EC2B03115A8525EC,SHA256=63713794E8309DABA2D01E9AC80CE8808078C9B65F0A545E96F6F43E6E0C2F54,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023144Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:42:56.754{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61938-false10.0.1.12-8000- 23542300x80000000000000007617Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:42:59.093{49C67628-FDEC-615B-1F00-00000000FC01}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04b3958ebc31dc11b\channels\health\respondent-20211005072534-016MD5=9DBD3CF651CAD1963D7DD9E70795396E,SHA256=D00FE5240C0E39CC33FD8ADFFDA13197E8833401D0A3D05F731F6A79B8E00229,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023146Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:00.851{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9189B57A6BC31669AF11F7DB9FCD6D2,SHA256=AE27CD9F8FC89459CA86681F93E8EBDE0E3B5527F301A6ACEE4FB4D7EC3068FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007620Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:00.773{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E28361403BB9BC3DF37A26BEB89E4DA,SHA256=4675D5185F9891CC7C9555E8E44B401FB89B39F440B837BB7D8995D3003AA63C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007619Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:00.101{49C67628-FDEC-615B-1F00-00000000FC01}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04b3958ebc31dc11b\channels\health\surveyor-20211005072532-017MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023147Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:01.898{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9A3219CE66E1DAE6E4D0AD137866FE2,SHA256=977EB5952E2073CE4F2BF09F7EB2E3726E880AAA6D67D342F684DB26FE805E08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007621Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:01.773{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC1008C1D78A65823815E26E1CC1A762,SHA256=8FD62D725DECDE01CB728A2A19D3B32F2FC77CB44F54D695E1BAD97EC25C97AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007622Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:02.773{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27FC34538263290D0CBEEB96E533D811,SHA256=47867475690EB0E59AE5549C86EAE3070E14423B48A8BF369640F9A3EEC45048,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007623Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:03.773{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51E7498A418C2892530CF0A0A7299AD7,SHA256=8EFE48A25906CDB6DA5463F15D23E1416200B45597F5CA985D3A5E4BB6E8E0CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023148Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:03.023{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ED6AC037EE18AD7156F7B33BADFB357,SHA256=B806DB0DE1720EF93E673FDF61548A21485891D5EA74941E33FB00AA453BFE1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007624Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:04.773{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEA6F37F3880026A05F1D8398AEDA030,SHA256=E804726E27070C3D514D39B50FE47A1EBF8FC955EE92305D2BDF8FD4774C9DF2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023150Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:02.692{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61939-false10.0.1.12-8000- 23542300x800000000000000023149Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:04.070{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55829C71469363CD071649360D5A7DA8,SHA256=FF9093B8EB41900E0148F0D8BBABEBA5243436C8210E87E890FA728A2ACBAA7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007626Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:05.788{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C4E26F9DD21728D912FE7D8C6784778,SHA256=D98B70A53765EDB0F698D8938554A238C2A63CBECC722D802BBE4739FD0B3D68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023151Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:05.086{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=551161437F94F4E3E319A4B349EAB56D,SHA256=E2F92E9CE216B226191B0C5296E43B54FD15D937C6ABE22561B3231B7467162B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007625Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:03.165{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49900-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000007627Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:06.788{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF12DF07B96CA0536B529D4F1FC63E07,SHA256=38BF8C04A05BAA5348F791A76D956983CA93132174C551FD0483EBB367D61A75,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023156Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:05.338{6EDEAD03-FC2C-615B-4400-00000000FB01}3672C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61943-false169.254.169.254-80http 354300x800000000000000023155Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:05.242{6EDEAD03-FC2C-615B-4400-00000000FB01}3672C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61942-false169.254.169.254-80http 354300x800000000000000023154Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:05.210{6EDEAD03-FC2C-615B-4400-00000000FB01}3672C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61941-false169.254.169.254-80http 354300x800000000000000023153Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:05.209{6EDEAD03-FC2C-615B-4400-00000000FB01}3672C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61940-false169.254.169.254-80http 23542300x800000000000000023152Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:06.123{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A7586C272AAEE0A78D257065C5C29D2,SHA256=665817F4B576786C80C4D135CCCE30FF6ED49BA74F008C4F0E09054D1F680B4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007628Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:07.788{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAE22596167B6C23D6F79762EE51ABC9,SHA256=406B2A10E65EA01F39C67014A52D57259D5DCD92D805208E62B9496616D312D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023157Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:07.139{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0717FF859EC2A5BE132A33BE09E78852,SHA256=C907673563D682710FB3C9988420E6EF2EBB4C47B342BEE1A076A8908EFCF407,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007629Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:08.804{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59876FDD425F222C59539CA3D81943D7,SHA256=D8075B0A8F8F37DE955E438C868B4368510BED5F4DB1ABDE6DE96C91D410BCF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023158Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:08.201{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=664BC54E4AEA0E8076FE0F4A69BE102E,SHA256=78E70ABF35E7909C50677DDE32ED3E0A0331907D180E2DB7AD759C2896D0B90E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007630Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:09.804{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C58B0E13E95846F82CDAF36B0E514AC,SHA256=8EDF4E093DA01598DBBEC5821897D5C0C1F7307BF0092921E7BD1D77CCEFBF0A,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000023160Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:43:09.717{6EDEAD03-FC1D-615B-1100-00000000FB01}480C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b9bc-0xa498a805) 23542300x800000000000000023159Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:09.248{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F8F5F136C1E7E4666BE8D5BA0513E87,SHA256=423C45D95276C9E6B88DD63B585B4A5454F1941D0F172027E09B2CA1C8858373,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007632Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:10.804{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB5CC600F6003EAEEEBD2D1E791F3C35,SHA256=E2672594D9652F1913FF3ECDFABFE8BA670A1AEC94C5158088E3396A5C2FA0E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023162Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:10.280{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EE3519068BDD1ECE514F32B0B68F084,SHA256=D2C3D7194E8F85A1E9EF652BD7934DBE57B807570F43AFEDB676253963410620,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007631Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:08.211{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49901-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000023161Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:07.730{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61944-false10.0.1.12-8000- 23542300x80000000000000007633Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:11.804{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B13604A2165F5FFE08A619CAA5F9A99,SHA256=C5BEB058FD4E8544A08B94E276DBF371982557C660C157CC69263891B49664AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023163Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:11.451{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04EE99F9A0CF625760CB352F855315CF,SHA256=C993AC46F1B99220835FD92642F8B96122BCA16B566B87EFF16269B790E402DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007634Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:12.804{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A471774727BC81ED7A6C033CF4EA2FA,SHA256=97BA82874EB2480E845CB9E47DCE4E241EE31A28574B68B632CD58420278F87F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023164Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:12.452{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=926D4A7DBC7104F9D478BDB01A701312,SHA256=117D0BEDBC979C77D1D5F7EAA86E463ED25FD3C7B766E74DACE272CE83BC1120,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007635Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:13.804{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FE31293F6CBB5707EC657FB4529E92D,SHA256=F97E1AD39EFA29BC3C3914B7F54F4CA60197CDC978B7DF78B7BD39EA572EACFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023165Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:13.467{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A095609B7619A3D05A6F2F33EDE20B6D,SHA256=0FC312D8C436073D1E8B01AEAA1C061EFA68B6074F9FC47F7860009CD9EE3F34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007636Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:14.820{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0A21978349460AA943E3D3154ACDBA9,SHA256=82D242A3A19A3282CE5C67C49EA55B09E3DB499E1CE8785567CEC54EE1867E5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023166Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:14.483{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F55C6CCEC6C12C2099EA91FE9617DE67,SHA256=D9D2C2317777B551832DF63F08EDF3C328F1E8AC7162172C468310A4855B9132,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007637Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:15.820{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4821BFF321464B2591D5BBF687468DEE,SHA256=436186664D9E1FDE3BEB17EC75FABD2FCE2830D491F245A6FD3D9A9998A8B43F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023168Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:15.514{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A916D9B7E481BB0BD3F8AE1DA94F2D6,SHA256=34A35FD44E41787A59B9DF1A444820BBC6DB08AB08A8E8EA36369994B8ED7F1E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023167Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:12.839{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61945-false10.0.1.12-8000- 23542300x80000000000000007639Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:16.820{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CDC6260DBF1A436B09E0D25E7580DA1,SHA256=4587961E5FE0FF60E3C813F0D4C81402BD5421F729FA493E4D0440954B677535,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023169Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:16.545{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC62BB545CDDE4D2B533B4EE73DC7C20,SHA256=4CB34E8872C4A64B2366415584FB3D32CD60D69069813BD85CA60C6209E3F9ED,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007638Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:14.180{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49902-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000007640Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:17.820{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28AC8052AB8E3D85B0B96C3FE2F46114,SHA256=81F536148B765EABDDC68E5FEF36CECB39C59291439646711A5F620FADC48072,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023172Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:17.567{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A4EEDC70A6B4341B5836C660F0725D4,SHA256=E823938E4166607BF2A26CFCBFD3CE5FCA38E86EE4B595D657EB35DD3DE95A28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023171Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:17.123{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=87F5D455846AAA6135984F058FB89E63,SHA256=01DEB1C44DCF8AF0DD9C2FAB49BDA9919920A4458B4732C5AF7218FE3D61F122,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023170Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:17.123{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C83ADB24795B19ED9023FBFCFB78FB5B,SHA256=C4F1AAE58D5C162B7F6B80AD8C6185CC560AE1876F7B382AF0E11ACCBB2D775F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007641Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:18.836{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EFC1D0F2D9B6DD2D1C2F7D184134791,SHA256=12601389691F7E3883A3EFB6026B88D57F800276B715B6ED10348BA10EB91655,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023175Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:18.661{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C3FE215A80F21A57F0F87B4CBA44388,SHA256=CC04F1A607A7D8CE540AF6590A1521E4E33BA69D24C65B9172A299EBA0FC4A56,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023174Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:15.917{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local61946-true0:0:0:0:0:0:0:1win-dc-676.attackrange.local389ldap 354300x800000000000000023173Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:15.917{6EDEAD03-FC2A-615B-2900-00000000FB01}2912C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local61946-true0:0:0:0:0:0:0:1win-dc-676.attackrange.local389ldap 23542300x80000000000000007642Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:19.852{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B89F579E3EFB5BD5355ABB0FE6752916,SHA256=310528D57074F9DFE274D0E01FF547B7B687CEC79AA3142752DC92428E31122E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023179Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:19.661{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B2CB5DC5383E69263E273245BE9C2B7,SHA256=21D5AC1BD8C64914E9C6E301FEDD443F1DAE3D4226D6FFADA0CAA536D92DB821,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000023178Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:43:19.552{6EDEAD03-FC2A-615B-2D00-00000000FB01}1000C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\8EFF07E0-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_8EFF07E0-0000-0000-0000-100000000000.XML 13241300x800000000000000023177Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:43:19.536{6EDEAD03-FC2A-615B-2D00-00000000FB01}1000C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\3921F692-FD43-40E6-838A-1597F7469C61\Config SourceDWORD (0x00000001) 13241300x800000000000000023176Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:43:19.536{6EDEAD03-FC2A-615B-2D00-00000000FB01}1000C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\3921F692-FD43-40E6-838A-1597F7469C61\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_3921F692-FD43-40E6-838A-1597F7469C61.XML 23542300x80000000000000007643Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:20.852{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C58F7ECD2C913DA5D586072921E55EAA,SHA256=26C7DAD86FDA6DFDDF0F7B9E9CE2C8C017767694D212465C296EDBABE5265C66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023181Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:20.755{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CA63D303B1AA1FCD0533B02425CCCE5,SHA256=728B41E7DEB9E893460653AC92785D1EFF5779287320ADA7BA32651CBE97B41B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023180Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:20.583{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=87F5D455846AAA6135984F058FB89E63,SHA256=01DEB1C44DCF8AF0DD9C2FAB49BDA9919920A4458B4732C5AF7218FE3D61F122,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007645Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:21.852{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2992454D8FB9CE9EA1C019CECC67784,SHA256=80CE894D8423E6A7E5878496065069B7DB95BAEC70FB9C63D18158BAF6036D57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023192Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:21.802{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DEDD882F0975D9C9B86A85FDD37D7AF,SHA256=03410961F6ED96FAB8F8D0B176212ED5C1F13D787957D4202F4465F325BC5F74,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007644Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:20.072{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49903-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000023191Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:21.364{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC1D-615B-1500-00000000FB01}1240C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023190Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:21.364{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC1D-615B-1500-00000000FB01}1240C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023189Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:21.364{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC1D-615B-1500-00000000FB01}1240C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000023188Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:19.166{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local61950-truefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local389ldap 354300x800000000000000023187Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:19.166{6EDEAD03-FC2A-615B-2D00-00000000FB01}1000C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local61950-truefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local389ldap 354300x800000000000000023186Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:19.159{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local61949-truefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local389ldap 354300x800000000000000023185Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:19.159{6EDEAD03-FC2A-615B-2D00-00000000FB01}1000C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local61949-truefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local389ldap 354300x800000000000000023184Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:19.144{6EDEAD03-FC1D-615B-0D00-00000000FB01}908C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local61948-truefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local135epmap 354300x800000000000000023183Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:19.144{6EDEAD03-FC2A-615B-2D00-00000000FB01}1000C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local61948-truefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local135epmap 354300x800000000000000023182Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:18.767{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61947-false10.0.1.12-8000- 23542300x80000000000000007646Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:22.867{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6040F14F6A1AEFF32D0034431CA3E974,SHA256=766013C3425FC3D64D65AF7F10BC9E31EA25B788FDB3A121F6D675A5833D889F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023193Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:22.817{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFD4B33B1183CA1CD55C52CAD864CF8A,SHA256=C70CD50E95CCC4EDBA11909380AB3DBF20A187F4A84DD8AAFFD4F44C849867F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023194Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:23.849{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A22143A3B8348383130372D46EF4807C,SHA256=97652F6AF19899DA362FDC949F237E73C5AE5C9E735B49D753A0A3205371B8F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007647Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:23.883{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4AE1F85B78FF4947C1A2E62F98E5328,SHA256=648CA2C8EE5BA030875D538BDE001B14B74593E8CC6D7C92134C68F7164EB8A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007648Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:24.883{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=107BE66F0C56B8C04592D7A89E0266F4,SHA256=65E9A1FE85137C7D083082EE9A828A1D0D06B1DCBD150F6C0D3C4C9BF14C349E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007649Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:25.899{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96827920A13B7153D38721F62988575A,SHA256=FFC052AF25677AD7EE037A27CAA1DEA1799BE276C6D815BD8F27DBC96EF41810,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023196Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:23.783{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61952-false10.0.1.12-8000- 23542300x800000000000000023195Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:25.083{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A2D617AD3C8599FD9B8DCFD7812F950,SHA256=E605A355DD4388FDADBF00F1C95E5EE4DE3BBBBD735E6E34E7B50E8EC2922E7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007651Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:26.914{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=069292C52EE40A5CCAFBA69D9220387B,SHA256=7033A7CB81F65F453D53F6E89E14493F6C511396F8C5ED462715DCBC14F23E8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023197Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:26.114{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AC4A8684D29775FF22038B9E9B810DE,SHA256=D14497872E8606E94E32B86FBEDEA5A14E682C7B487DB28F6D29C0C7477F91DA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007650Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:25.228{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49904-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000007652Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:27.930{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA5F9E7E24804D6D9A6324BF0CD21CC3,SHA256=29491A8FCD22811DBCFE40A1D23B56484897C5429DEA06C71ADC89D1F2BF2F5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023198Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:27.208{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08EBCEDE8595792925F5C898D796212A,SHA256=A0DF138CAC54112E261DE22FC6018BEE98E380CE986C21891B91ABC39EADEC0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007653Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:28.930{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A37C300D5AD55D15FEB20D57D5D1EA3C,SHA256=0C184D684C34E070FA85E86438C58BB69DCA926F98E63E3843687F2385C9D3D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023199Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:28.271{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBFA3BF6C1F0C2EC4969FDCA6024247E,SHA256=582B830F739877DDC1F12D9FAB5DCD0DBDBB6E2107A73592327FE5482C154B76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007654Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:29.930{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F882EF5DBDA7DD01B7C4817C6EC025DC,SHA256=F71CBE3AE8EB50654A6E9F94D4B0DFC2FB5DC9E8DD51DDA892A1E5DFB431B53D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023208Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:29.708{6EDEAD03-011D-615C-0305-00000000FB01}57405284C:\Windows\system32\conhost.exe{6EDEAD03-0221-615C-2105-00000000FB01}4856C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023207Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:29.708{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023206Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:29.708{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023205Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:29.708{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023204Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:29.708{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023203Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:29.708{6EDEAD03-FF5F-615B-E202-00000000FB01}9723552C:\Windows\system32\csrss.exe{6EDEAD03-0221-615C-2105-00000000FB01}4856C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023202Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:29.708{6EDEAD03-011D-615C-0205-00000000FB01}54284716C:\Windows\system32\cmd.exe{6EDEAD03-0221-615C-2105-00000000FB01}4856C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000023201Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:29.720{6EDEAD03-0221-615C-2105-00000000FB01}4856C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d1 /fC:\Users\Administrator\ATTACKRANGE\Administrator{6EDEAD03-FF61-615B-7756-1D0000000000}0x1d56772HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{6EDEAD03-011D-615C-0205-00000000FB01}5428C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 23542300x800000000000000023200Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:29.333{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=342EB79156EEB508CABB18D15D03CD7F,SHA256=5AF5E73FAF6708EF3F8E4404DD127A1D8273E69240D6CC5265E8FB4977AF095D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007655Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:30.930{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C82EA4F14767292A310E7F68F773716,SHA256=DC322D414E2F3A939F1631F179808E14EABA610A244373AEC2CEC8B2872B5B30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023211Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:30.755{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8A82E8EDDF7733B13D5AA5F396CF2FE9,SHA256=609E2D7F6ECF9116D4AAFD008F3828BE012592EDBF1F37BCFA1817DB60AE9E6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023210Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:30.755{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BAC5B607ECF79B424DA3FC4AD6C8A6D6,SHA256=BD5DA40B51123ACB2D490483A771A1335B60C4C0B559E038B9F77BAE7F9C5C94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023209Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:30.396{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64C33DCD4D64EA96107AFD73AE18EB1F,SHA256=8BD8AD5445EEDA863231F18B8AD4959C4E76D836CE5CEC9CDA49E77B7DA0D9CD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023213Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:29.658{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61954-false10.0.1.12-8000- 23542300x800000000000000023212Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:31.552{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C16E4646E726A603742DD61140141B4C,SHA256=1DBEB7C4F537F9BED25C209B46B48BA477EFAA56602FC4636995FB8B7FED241C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023214Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:32.599{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E71426EBBD41703243C62619C4C9F6F1,SHA256=3157330415C45D3E31A2DB2353F2F22371F4AC35B37E0CC5B0E592F92432B3B7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007658Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:31.197{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49905-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000007657Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:32.164{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7FD98D1B911184331974D2769982E3E,SHA256=00A3E1E5A3611D7777F9B0E3EB9F760CD1321317AB390ADFE2A520DF558D63D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007656Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:32.164{49C67628-FDEB-615B-1100-00000000FC01}964NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=2549E5E55C39EEB1EF58FA6BE7F1C646,SHA256=7738592355B6CF94967AF03B65C5DCF63874C26135AA7315631804ECA89D07CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023215Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:33.599{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C526289E798B712CFCAE82E38E5E2A8F,SHA256=8C3DD5C40471AAE229AA096329353042417923DF39BA59A049277DAA21761CCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007659Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:33.195{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13B30FAA806B5D5CA1C454ED7FBE13FD,SHA256=DA030FDB3141484ABC51FBB523F3A86E60CEEFB8912F2181354118CF4F422F4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023216Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:34.614{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E89A1AFF43D1779D70FA18622A4070AC,SHA256=F918B0C4B19C248474BECC148DFA20AB88378B129D2F9133EB99614930F5C7B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007660Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:34.414{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D00B55985A1755CFA70FFE421AADB5DB,SHA256=66EB03621BE035BC6E104C3CBDECF49E0201D1FF311C55586CD2098523DD5FC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007661Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:35.648{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B430D964975F9441B53DD1C90014713E,SHA256=9B493E9A2D8BDC35FAE0E9C1F63E86A0A8CD377B777A7A8406FBDFD2F20E7DC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023217Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:35.630{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D5324B7AF32E5C7431869720DF6E70D,SHA256=F3473311B41A0072206489AA754A9CE3495EC52E2511664A88E4A2D58958F358,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007662Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:36.648{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E693345C7CED5AFB28BD4432BFAF14C8,SHA256=2BEAB6EB1ADC42D6A94DFB89E1AB2DF3B46807F1DE799FC2C1C33057C8EAB9BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023218Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:36.646{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFDE73DD564F9FAE9E7A16B502C479D8,SHA256=10EC9479ABE54885FF3578F42F169E03E6847C72DEDAE03CD19F8FFF594B13D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007663Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:37.668{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=272F85C77022B885F61415CB45B137C9,SHA256=89133E7470EA78A72477F7B83ABA9A205454BFDD33B34A25C8B7E3EC06DF077C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023220Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:34.845{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61955-false10.0.1.12-8000- 23542300x800000000000000023219Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:37.650{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00202D18515DA6A41884E2F1F52F6421,SHA256=D39409161DBC85DC7CDAA576C6032163F23C4E5368BBE28D94DDDCB590EBFC72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007664Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:38.762{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21B659041C4F65DDBF99041C70F51390,SHA256=442639D6EBEEFE239834AC973DC18AB05BB31F6786286A0AFB05038FD74E3715,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023222Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:38.759{6EDEAD03-FCBF-615B-AF00-00000000FB01}416NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=77A3FAE6E3D081057742F67BE17D48F0,SHA256=B45196262D41012541FDA928C2D6D89C531ACA10A8054FE8E2047913CDE27561,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023221Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:38.651{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=962897DACB72A3E6240FC9FC57362F62,SHA256=9E716656133C314C8E99CA1775FFF4CAD157355001B7CE8FD2EDFA6763963383,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007665Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:39.949{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B31E3CACE5D381D96B38F1F3ED2FC49,SHA256=7E2D8915153545671BFCE6CDFEC5EF30593DAB8E6523B6352AD121661454BD8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023231Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:39.665{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D698C238E8FD8336BC1CD62B2309D2AB,SHA256=0344C2A9A8311901B91E4B9669D69442BDCD5E18CEDAE7CD05A8DBE2C3E2109C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023230Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:39.462{6EDEAD03-011D-615C-0305-00000000FB01}57405284C:\Windows\system32\conhost.exe{6EDEAD03-022B-615C-2205-00000000FB01}7000C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023229Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:39.462{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023228Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:39.462{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023227Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:39.462{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023226Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:39.462{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023225Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:39.462{6EDEAD03-FF5F-615B-E202-00000000FB01}9723852C:\Windows\system32\csrss.exe{6EDEAD03-022B-615C-2205-00000000FB01}7000C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023224Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:39.462{6EDEAD03-011D-615C-0205-00000000FB01}54284716C:\Windows\system32\cmd.exe{6EDEAD03-022B-615C-2205-00000000FB01}7000C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000023223Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:39.474{6EDEAD03-022B-615C-2205-00000000FB01}7000C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /fC:\Users\Administrator\ATTACKRANGE\Administrator{6EDEAD03-FF61-615B-7756-1D0000000000}0x1d56772HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{6EDEAD03-011D-615C-0205-00000000FB01}5428C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 23542300x80000000000000007667Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:40.949{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F2F53ECC082BC525CD3F18C1744ADD0,SHA256=4D92C50601AC910F7C43D2A393273D8B51839442AC23A06E036C16231E94C5EE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023243Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:38.350{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61956-false10.0.1.12-8089- 23542300x800000000000000023242Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:40.665{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97B0197BE7C695FC18BED81383AB7634,SHA256=A682E353C91EA1EE4AC5FD08E4242CB20231BDAB90373AC60BAD00D4626C5CA8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007666Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:37.134{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49906-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000023241Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:40.478{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3FEBCDDEA1E7913169D1053D46FDD26C,SHA256=39027282DD1F2A057CA7A34CC6CD456F7B0965AB25638661792CA3AF6D29C040,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023240Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:40.478{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8A82E8EDDF7733B13D5AA5F396CF2FE9,SHA256=609E2D7F6ECF9116D4AAFD008F3828BE012592EDBF1F37BCFA1817DB60AE9E6B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023239Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:40.353{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-022C-615C-2305-00000000FB01}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023238Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:40.353{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023237Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:40.353{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023236Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:40.353{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023235Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:40.353{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023234Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:40.353{6EDEAD03-FC1A-615B-0500-00000000FB01}412428C:\Windows\system32\csrss.exe{6EDEAD03-022C-615C-2305-00000000FB01}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023233Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:40.353{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-022C-615C-2305-00000000FB01}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000023232Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:40.354{6EDEAD03-022C-615C-2305-00000000FB01}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007668Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:41.949{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65A7A56E1BE2E24B06FEF05AF624D331,SHA256=FF98CA068B7B698E01987AC50730F028DCE6ED3B5B1FED2C5D3CE45129443D3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023262Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:41.917{6EDEAD03-FC2A-615B-3000-00000000FB01}2280NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00ade5b11017bd16f\channels\health\respondent-20211005071805-024MD5=AA6F78CCC35FD74424B933C975A9F779,SHA256=482DFC86E7C4A11E76E3E352EB64B396C84C083D9F57F37823883232EC55A225,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023261Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:41.697{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-022D-615C-2505-00000000FB01}7012C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023260Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:41.697{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023259Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:41.697{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023258Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:41.697{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023257Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:41.697{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023256Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:41.697{6EDEAD03-FC1A-615B-0500-00000000FB01}4122304C:\Windows\system32\csrss.exe{6EDEAD03-022D-615C-2505-00000000FB01}7012C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023255Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:41.697{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-022D-615C-2505-00000000FB01}7012C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000023254Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:41.697{6EDEAD03-022D-615C-2505-00000000FB01}7012C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000023253Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:41.681{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6AA5797E1F0A4D3BB371610D0805799,SHA256=C1EB3A48307D8B129D8623CEF03FCA4746AA0D6ED321D9C8740C72507677D063,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023252Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:41.197{6EDEAD03-022D-615C-2405-00000000FB01}69446840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023251Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:41.025{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-022D-615C-2405-00000000FB01}6944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023250Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:41.025{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023249Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:41.025{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023248Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:41.025{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023247Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:41.025{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023246Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:41.025{6EDEAD03-FC1A-615B-0500-00000000FB01}4122304C:\Windows\system32\csrss.exe{6EDEAD03-022D-615C-2405-00000000FB01}6944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023245Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:41.025{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-022D-615C-2405-00000000FB01}6944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000023244Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:41.026{6EDEAD03-022D-615C-2405-00000000FB01}6944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007669Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:42.949{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CD89EA5B98AE5E361FC70C0F204FA05,SHA256=B0ACF8E9BF1BF6743397E66941C784F6360A05253AAD9730595A0574CC239D9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023275Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:42.931{6EDEAD03-FC2A-615B-3000-00000000FB01}2280NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00ade5b11017bd16f\channels\health\surveyor-20211005071802-025MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023274Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:40.787{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61957-false10.0.1.12-8000- 10341000x800000000000000023273Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:42.727{6EDEAD03-022E-615C-2605-00000000FB01}48926580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000023272Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:42.696{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD9FB3463B661FE5AB56EA4AFF2DB983,SHA256=05976B8F92A3AD3BF0A6509CAC2931DCF34E84BE1D90A81524142852B2CD6E28,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023271Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:42.571{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-022E-615C-2605-00000000FB01}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023270Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:42.571{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023269Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:42.571{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023268Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:42.571{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023267Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:42.571{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023266Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:42.571{6EDEAD03-FC1A-615B-0500-00000000FB01}412528C:\Windows\system32\csrss.exe{6EDEAD03-022E-615C-2605-00000000FB01}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023265Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:42.571{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-022E-615C-2605-00000000FB01}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000023264Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:42.572{6EDEAD03-022E-615C-2605-00000000FB01}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000023263Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:42.056{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3FEBCDDEA1E7913169D1053D46FDD26C,SHA256=39027282DD1F2A057CA7A34CC6CD456F7B0965AB25638661792CA3AF6D29C040,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007671Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:43.965{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66BB81C6AE6BC5655A84F0D52EED5615,SHA256=D55440FF792955C9CD35B93D66779A89D55C8D08E9D636FF46772EC0B5FB03B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023286Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:43.698{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9703AC81E02EFC90F9925A470389DCF4,SHA256=FAC62325BDCB50C3FCCB168DDA1B17E0DAF602E86D4EEBA80165D5EA0B2C989C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007670Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:43.074{49C67628-FE68-615B-9F00-00000000FC01}1772NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=77A3FAE6E3D081057742F67BE17D48F0,SHA256=B45196262D41012541FDA928C2D6D89C531ACA10A8054FE8E2047913CDE27561,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023285Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:43.573{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=655C3B37207D15D536ECAD948160E513,SHA256=DF15E2B37F538E7271C36BBDF8DC0F608C5FA243A59240613F661E2637AC784B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023284Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:43.367{6EDEAD03-022F-615C-2705-00000000FB01}41366760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023283Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:43.210{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-022F-615C-2705-00000000FB01}4136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023282Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:43.210{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023281Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:43.210{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023280Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:43.210{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023279Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:43.210{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023278Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:43.210{6EDEAD03-FC1A-615B-0500-00000000FB01}4122304C:\Windows\system32\csrss.exe{6EDEAD03-022F-615C-2705-00000000FB01}4136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023277Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:43.210{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-022F-615C-2705-00000000FB01}4136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000023276Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:43.212{6EDEAD03-022F-615C-2705-00000000FB01}4136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007686Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:44.965{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=639E5FDEFE87CC178A43EC6AC3BC4527,SHA256=D73F3D339C8CDA289E87309821AF564DF68F889224B7A4A37FE81F060527B8FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023311Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:44.714{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ADD5C8D8DEA9F6A25FE2848D8C89AF7,SHA256=8628835FF3661BC7F09E8A68566BF43C9DAB24ED0FB85E52D1C64657EB929AF5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007685Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:44.793{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-0230-615C-5501-00000000FC01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007684Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:44.793{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007683Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:44.793{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007682Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:44.793{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007681Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:44.793{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007680Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:44.793{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007679Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:44.793{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007678Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:44.793{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007677Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:44.793{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007676Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:44.793{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007675Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:44.793{49C67628-FDEB-615B-0500-00000000FC01}4161032C:\Windows\system32\csrss.exe{49C67628-0230-615C-5501-00000000FC01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007674Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:44.793{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-0230-615C-5501-00000000FC01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007673Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:44.794{49C67628-0230-615C-5501-00000000FC01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000007672Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:42.155{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49907-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000023310Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:44.698{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-0230-615C-2905-00000000FB01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023309Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:44.698{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023308Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:44.698{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023307Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:44.698{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023306Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:44.698{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023305Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:44.698{6EDEAD03-FC1A-615B-0500-00000000FB01}412528C:\Windows\system32\csrss.exe{6EDEAD03-0230-615C-2905-00000000FB01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023304Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:44.698{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-0230-615C-2905-00000000FB01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000023303Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:44.699{6EDEAD03-0230-615C-2905-00000000FB01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000023302Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:44.651{6EDEAD03-FF62-615B-F802-00000000FB01}50525772C:\Windows\Explorer.EXE{6EDEAD03-011D-615C-0205-00000000FB01}5428C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023301Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:44.651{6EDEAD03-FF62-615B-F802-00000000FB01}50525772C:\Windows\Explorer.EXE{6EDEAD03-011D-615C-0205-00000000FB01}5428C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023300Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:44.651{6EDEAD03-FF62-615B-F802-00000000FB01}50525772C:\Windows\Explorer.EXE{6EDEAD03-011D-615C-0205-00000000FB01}5428C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023299Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:44.651{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-011D-615C-0305-00000000FB01}5740C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023298Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:44.651{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-011D-615C-0305-00000000FB01}5740C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023297Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:44.651{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-011D-615C-0305-00000000FB01}5740C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023296Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:44.651{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-011D-615C-0305-00000000FB01}5740C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023295Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:44.214{6EDEAD03-0230-615C-2805-00000000FB01}65085844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023294Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:44.026{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-0230-615C-2805-00000000FB01}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023293Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:44.026{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023292Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:44.026{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023291Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:44.026{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023290Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:44.026{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023289Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:44.026{6EDEAD03-FC1A-615B-0500-00000000FB01}412528C:\Windows\system32\csrss.exe{6EDEAD03-0230-615C-2805-00000000FB01}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023288Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:44.026{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-0230-615C-2805-00000000FB01}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000023287Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:44.027{6EDEAD03-0230-615C-2805-00000000FB01}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000023313Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:45.714{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98C930BEE5780861962F40719D5F7270,SHA256=C3FA48A8DFF6851D9ABDD5C481D856E082F701E333385A825B1640A69684DC97,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007716Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:45.965{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-0231-615C-5701-00000000FC01}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007715Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:45.965{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007714Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:45.965{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007713Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:45.965{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007712Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:45.965{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007711Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:45.965{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007710Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:45.965{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007709Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:45.965{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007708Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:45.965{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007707Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:45.965{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007706Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:45.965{49C67628-FDEB-615B-0500-00000000FC01}416532C:\Windows\system32\csrss.exe{49C67628-0231-615C-5701-00000000FC01}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007705Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:45.965{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-0231-615C-5701-00000000FC01}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007704Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:45.966{49C67628-0231-615C-5701-00000000FC01}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007703Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:45.793{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F479EB67A320371B3DBB3CD7D003030A,SHA256=168CF13549B471097E6E291E663299FD26537FFCE6F79AEB5B8280BBC6C16627,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007702Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:45.793{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=30392DC7CE08494ABE52D20224FD17EA,SHA256=93B54A04DBC659C2F58FCC4AC911EDBE014F0A1D51507C28B74ACDAFC6970E13,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007701Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:45.496{49C67628-0231-615C-5601-00000000FC01}31203940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007700Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:45.293{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-0231-615C-5601-00000000FC01}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007699Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:45.293{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007698Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:45.293{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007697Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:45.293{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007696Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:45.293{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007695Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:45.293{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007694Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:45.293{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007693Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:45.293{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007692Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:45.293{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007691Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:45.293{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007690Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:45.293{49C67628-FDEB-615B-0500-00000000FC01}416532C:\Windows\system32\csrss.exe{49C67628-0231-615C-5601-00000000FC01}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007689Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:45.293{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-0231-615C-5601-00000000FC01}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007688Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:45.294{49C67628-0231-615C-5601-00000000FC01}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000007687Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:43.076{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49908-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000023312Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:45.026{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8DCE3C89CD7711A6C44A9554C3731DC6,SHA256=D8AFF0C81244B8FFD59C928138B832219121A6E2538D3A8E587C2C366300977E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023322Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:46.729{6EDEAD03-011D-615C-0305-00000000FB01}57405284C:\Windows\system32\conhost.exe{6EDEAD03-0232-615C-2A05-00000000FB01}1308C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023321Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:46.729{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023320Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:46.729{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023319Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:46.729{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023318Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:46.729{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023317Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:46.729{6EDEAD03-FF5F-615B-E202-00000000FB01}9723552C:\Windows\system32\csrss.exe{6EDEAD03-0232-615C-2A05-00000000FB01}1308C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023316Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:46.729{6EDEAD03-011D-615C-0205-00000000FB01}54284716C:\Windows\system32\cmd.exe{6EDEAD03-0232-615C-2A05-00000000FB01}1308C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000023315Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:46.737{6EDEAD03-0232-615C-2A05-00000000FB01}1308C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg query HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigestC:\Users\Administrator\ATTACKRANGE\Administrator{6EDEAD03-FF61-615B-7756-1D0000000000}0x1d56772HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{6EDEAD03-011D-615C-0205-00000000FB01}5428C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 23542300x800000000000000023314Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:46.714{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5940A7B2F2DBCDF4FB2ED683A9B0968,SHA256=3F1761A80861FFFE777901EA5BD9586C5F679DB01D44F5A65A9D236C34B90869,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007718Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:46.981{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F479EB67A320371B3DBB3CD7D003030A,SHA256=168CF13549B471097E6E291E663299FD26537FFCE6F79AEB5B8280BBC6C16627,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007717Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:46.262{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B0B92D6DF6C335238474DDED1F7BCA0,SHA256=DE56EC0E4A99B216B326E9E81B747CC33FE5C08B0C1310B289B244DD959E26AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023324Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:47.729{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BEB5618EFDD4267ABB10EEE78FC05AA,SHA256=2B31D60280E8A7333CCFADD9EF3B11BF35ED9DE8716E501EEC7DA6BB394F8782,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023323Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:47.729{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F28445391EB2507AEDA657E5E209865C,SHA256=D599BF28F6FD0809BFBBA213B1DFB9D941570B2AE9CA553E223C52FAAA9BCDBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007733Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:47.262{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F72A9A91E3B6FCA27F7A6A111404653,SHA256=4A810BD0E6128AD8A1A31A6F6508598DA3B2E304C0183F0F48E59E9C5E0759DF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007732Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:47.231{49C67628-0233-615C-5801-00000000FC01}39242592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007731Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:47.074{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-0233-615C-5801-00000000FC01}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007730Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:47.074{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007729Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:47.074{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007728Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:47.074{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007727Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:47.074{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007726Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:47.074{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007725Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:47.074{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007724Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:47.074{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007723Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:47.074{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007722Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:47.074{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007721Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:47.074{49C67628-FDEB-615B-0500-00000000FC01}4161032C:\Windows\system32\csrss.exe{49C67628-0233-615C-5801-00000000FC01}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007720Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:47.074{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-0233-615C-5801-00000000FC01}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007719Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:47.075{49C67628-0233-615C-5801-00000000FC01}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000023325Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:48.745{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC6228B336A4C5DCB2289ADB030DF093,SHA256=2CEB757D53FA3BCE6F0FD47FF8C6EE93DCBCAD5CE9640689AF026EBB152ABC86,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007762Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:48.965{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-0234-615C-5A01-00000000FC01}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007761Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:48.965{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007760Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:48.965{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007759Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:48.965{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007758Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:48.965{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007757Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:48.965{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007756Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:48.965{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007755Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:48.965{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007754Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:48.965{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007753Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:48.965{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007752Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:48.965{49C67628-FDEB-615B-0500-00000000FC01}416532C:\Windows\system32\csrss.exe{49C67628-0234-615C-5A01-00000000FC01}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007751Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:48.965{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-0234-615C-5A01-00000000FC01}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007750Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:48.966{49C67628-0234-615C-5A01-00000000FC01}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000007749Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:48.449{49C67628-0234-615C-5901-00000000FC01}34683404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007748Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:48.324{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3528E018779578FF442039284C213F6,SHA256=01E030A865F74D4536F67102468631985649F4D04623A22B1C6B23BCEF574130,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007747Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:48.293{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-0234-615C-5901-00000000FC01}3468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007746Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:48.293{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007745Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:48.293{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007744Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:48.293{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007743Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:48.293{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007742Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:48.293{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007741Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:48.293{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007740Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:48.293{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007739Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:48.293{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007738Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:48.293{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007737Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:48.293{49C67628-FDEB-615B-0500-00000000FC01}416432C:\Windows\system32\csrss.exe{49C67628-0234-615C-5901-00000000FC01}3468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007736Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:48.293{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-0234-615C-5901-00000000FC01}3468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007735Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:48.294{49C67628-0234-615C-5901-00000000FC01}3468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007734Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:48.106{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=053F6A6883BA71FDB0AC25EEA9200D9E,SHA256=4D5D96AF4531BB577A72A509B59A1EFF714C174E5E2FDC9C4DC2432C307FD8AC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007778Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:49.715{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-0235-615C-5B01-00000000FC01}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007777Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:49.715{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007776Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:49.715{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007775Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:49.715{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007774Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:49.715{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007773Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:49.715{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007772Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:49.715{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007771Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:49.715{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007770Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:49.715{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007769Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:49.715{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007768Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:49.715{49C67628-FDEB-615B-0500-00000000FC01}416432C:\Windows\system32\csrss.exe{49C67628-0235-615C-5B01-00000000FC01}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007767Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:49.715{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-0235-615C-5B01-00000000FC01}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007766Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:49.717{49C67628-0235-615C-5B01-00000000FC01}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007765Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:49.402{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F1E45F69C2F2798937B2D028855E8A9,SHA256=BD98255ACE3AE0996B43169A4BF3BB67A2BEBE3B2F07983626E9799FCCC964B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023327Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:49.761{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=821018AFF078C9A5C3026AD1D94FCFDE,SHA256=DF5F724AA40022615B193A53CAC77D388F354D19B434ED3F8967796DBA6BDFF4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023326Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:46.726{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61958-false10.0.1.12-8000- 23542300x80000000000000007764Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:49.309{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E0772B37C529E5371F513502202E26DE,SHA256=D1CFAA8518DD6A6C8CBA56095E0BFE7104DEB5A2D6B08064FF4D0E07A0C1296B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007763Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:49.171{49C67628-0234-615C-5A01-00000000FC01}39883552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007781Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:50.731{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CCFFB1155CC7EB35AA922849A0B07163,SHA256=62E1F7BEBA83E92395D0CDCE99A445457CCCAB408523898C43E6C9A6DCA3B85C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007780Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:50.652{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=754C8D648BC1B365A18498AA9797DB0C,SHA256=5FDAD11DC2A7664618CEC52D0F3CDECD0DAD11BC31284B029832196E891E2902,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023329Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:50.776{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51108013E3ED42BE08ADFB8F2004081E,SHA256=F9ABD597ED738FAE94FBAE0349B3780EEC5C9F82325CB8A6A4C009AAA700D50A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007779Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:48.091{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49909-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000023328Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:50.401{6EDEAD03-FC1D-615B-1200-00000000FB01}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=6E055394B453324F2B61198AD7D317CF,SHA256=17D08B2CADB5A90F4AC090A094DE3F8FD518282F5CD609C4C99F9C36AC9B18B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007782Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:51.762{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F833B3AB4D7B8DD74DDEBE5BFF9EEB80,SHA256=EE7F8CA478562C697EBC21C9D4DF215B93467587F8A71893950977C93021B51C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023330Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:51.776{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=246ABE13AF2A33DA2CF0F7C211917563,SHA256=AB99EE8AF4CD94C43E48EBF73C53CE096DA8DBC7B7BC0A41974F7032968ED4EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007783Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:52.902{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0670B2C320D55DB32A50A5BD9FF36352,SHA256=156FA1885A7D6A8CE9A82C44F85EBE1DB25DB7F1F34B3E9F1449CA3A5446169C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023331Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:52.776{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A211C9C4F2091C929384E4CC0C4ABB65,SHA256=AF1C79942E9268746F290551EEB7AA13F5DEA6CB46502BBB38C32D57A5C6C6C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023332Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:53.776{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B832742F1747B9869AB23EA472BFE99D,SHA256=1BC66E4DEEFCA25AC3C88734025A7C33BBB177CD0663FF7C76716CCC9DE8BED3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023334Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:54.776{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB3A43055DC130821878D26162421369,SHA256=D2B4A8EB2DD6125A83840EFAD772F0FE2201744889BDF3789788FDC027C0ECAA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007785Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:53.107{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49910-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000007784Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:54.027{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0228A47E0691EACE2709EABEF9C37BB0,SHA256=325EA99A5A0779E1CF1532153FE1BF5588C35EBBA5234568E559A793B0850382,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023333Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:51.866{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61959-false10.0.1.12-8000- 23542300x800000000000000023335Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:55.777{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1259DFE276C09E8010551BD87475F8ED,SHA256=7453C469C4AE4A0F36D755222BBB09A08BA971CB032C3CA76875FEFEE8EBCA1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007786Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:55.027{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E620C6604144C154F2D11F49B680B27C,SHA256=D724DB9E4B4E65A4562850178F7430F708C9E1C349939A7AAA95259CDC0E95FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023336Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:56.823{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DA09D769E1B8B6F9640C5F217085A28,SHA256=07C578ED3B2771261ADD7EC4E0736CFBD72E4E06186F07A5AED8FC11E7362A03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007787Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:56.028{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEBAAFB5E7AED437199DE382569283DA,SHA256=91A9F43C815B7A2396D7EE292873C3D9F856CF8A1511ABAECA44226FDBDC401B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007788Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:57.043{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B25F0D7EABA48A8B207230E320E2AD66,SHA256=6CC182DFB1BD96A804BFCD781EF6BC9D784C97611375FA2A548D15ADCEF8175D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007790Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:58.632{49C67628-FDEB-615B-0D00-00000000FC01}776936C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-1400-00000000FC01}884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007789Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:58.054{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7297D2838351A08B356BD399095BCD1A,SHA256=B9BD300EFDBFBD8AF32707972BD5C7F084BFFCBD86DBE301C92AB06096019A59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023337Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:58.051{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F73D3279702E4FDBE63D818EB7A22110,SHA256=9CCF433F21D153EA66810269F3445D1AF3D3E63EB6CC3CBE6EAFF5C2B2275BC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023338Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:59.286{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=359B37778160F3AA9B1B2A9295740168,SHA256=7A09E5C737294F139D71954874A3476AF30545B5C37F854D4FEC2E8A56A67A09,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007792Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:58.212{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49911-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000007791Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:43:59.070{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CA2C58254B0C6662D94E80371E03A2C,SHA256=00C18A1FD71441A7B5516B153B0B7B70DD0944C5C5BC87D08C512BFE2486D6AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023340Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:00.348{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA91D30296641D853E9939DE1488EA2D,SHA256=76B508D2F1469BD3AD354F92CB90ACE98ED5C870FD7A324BE325ED2F4EB709AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007794Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:00.623{49C67628-FDEC-615B-1F00-00000000FC01}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04b3958ebc31dc11b\channels\health\respondent-20211005072534-017MD5=9DBD3CF651CAD1963D7DD9E70795396E,SHA256=D00FE5240C0E39CC33FD8ADFFDA13197E8833401D0A3D05F731F6A79B8E00229,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007793Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:00.085{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BE16D2505F23114152474421F6043F9,SHA256=0F3E4F597AE030F7D537E8C33D7BEC01EBCF960CB7D6A8259CDBCFBB940DA22B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023339Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:43:56.866{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61960-false10.0.1.12-8000- 23542300x800000000000000023341Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:01.364{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16B275B3ECF16F3E1471EDD69B7B52A1,SHA256=7B2AAA9E7C062CCD608BBAEC901B59A278772B9BFA0A0BD83CBDA5D7AEAE2A90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007796Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:01.632{49C67628-FDEC-615B-1F00-00000000FC01}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04b3958ebc31dc11b\channels\health\surveyor-20211005072532-018MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007795Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:01.100{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E9B455FF3A2A775AED9A7F49783066C,SHA256=0BF43A546B3151DB164BF0F4E85AAAD96EF493F190C5FB1695A5DF7B1833522D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023342Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:02.380{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4FEBF4FB213BFC9AA16BA72A0C5184A,SHA256=C14EA95B1FC3C4767261FBFA427E7FCE9F7B17EB5E6474318C52BBB76F4DB07B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007797Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:02.114{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=062C4A22AFF64DF72C86E5EF0144FA6E,SHA256=50AA53902C68068CBCD6B6F1FB2F1C6A254E40449CD1737EBC70D4555F744619,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023343Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:03.395{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7C4DE97A093E4AB1CE3C677620A5189,SHA256=F4A1D07F4CDC024EA68115735AF11E14FC88BA1348B48EA7AFA1719C7CBE1BD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007798Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:03.116{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D2560408F3DE6A7A346886C2D51CDFB,SHA256=AA58BBD27D2DB327A6752D3F8EBE4357DB0AB01432782394ABBD63EA5833CF35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023344Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:04.395{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37D345344656615E2485F959B55714FC,SHA256=CA5BAF66B8E06F98C9A9877F0418657ED9A6DD23E36FE80B54770852BBD06169,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007799Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:04.117{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F6F2955FB17E8B9661CDFC317F56DA4,SHA256=541EC53C4FB0620B660E636080D148EF747214D45F67AEE5099AACD62D0A7912,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023346Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:02.751{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61961-false10.0.1.12-8000- 23542300x800000000000000023345Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:05.395{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=924E054970CE127096F3AE81ECFA0177,SHA256=FECA89F169BDFC90F2C3A353E1FD940D209C5B5C1A7D5D431C0F98C187A06B95,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007801Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:04.134{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49912-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000007800Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:05.117{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB6AC17BA26A8836AF4A90DA8BE68988,SHA256=4BF2CED9FFA58098D461A03246A70A893651100067071636FECDA8873A9BABA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023347Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:06.411{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB4F6AF79930928311398FE8E893AC92,SHA256=EB4658E4B6643F4ED4B90AB05673EDA198C1692DBF44C97FFF23D5BD280627CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007802Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:06.132{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F937E34D918B281D886DD02ABCDBF5A,SHA256=704D304FF4C86AEBA3E02FC306AD0C46FC5BCE8D107EA4FB9992D6929B6EABA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023348Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:07.411{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24856275B59DE0755E8E0EE743D06782,SHA256=1C0E7D8F3F24C466544F7D09312629F26D3AF69902CFD88BF25C767238073AD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007803Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:07.132{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=008C7A241DEF8D856308F62717C52199,SHA256=C397A847CEF5E5802DB35D785BBD9C5FB7EC16CD51106AE2A7DD3F8AB33C8D6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023349Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:08.442{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FFAD9722727932050A193814C67F527,SHA256=F4EFAB9EE15CAE7191CECA0A38E543AF1A05A802B7FEBF36E1836FC9E7726374,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007804Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:08.132{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04A074B8A4625C74A48D54DDE757FAE1,SHA256=1BC86C1ED756ADA3F9AA728175BDBE1BE0F994DA7717B87DACB7F5355DF70A2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023350Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:09.458{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE7A376779E7BD4785BF0E3AFD9404B8,SHA256=9CD3D0A304FC8CCFD5DE38141BD68204BA6C278957F7716C6CC176512CAAF8C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007805Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:09.132{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBF31399852603F98BFB9615A39A0100,SHA256=52ABC2F1E41401D01523189AD67A031BB1725FE864FEFBAE38FF7AF1543F6468,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023352Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:08.688{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61962-false10.0.1.12-8000- 23542300x800000000000000023351Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:10.458{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F0FB29DCB20A47A37FA4C7C83FA5BE2,SHA256=C3220B0EA224686D134B7B949573576CCF0872F5649BB76884742CDFF85EA9FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007806Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:10.132{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB9FD92C29F45507020EAC60D8C35449,SHA256=AFFABA9E087407F36A1EDB46F5820810FEE61D514096149883E04EFB662D7572,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023354Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:11.786{6EDEAD03-FC1D-615B-0D00-00000000FB01}9082660C:\Windows\system32\svchost.exe{6EDEAD03-FC1D-615B-1600-00000000FB01}1288C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000023353Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:11.489{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F310069E112E3DCA7CC9E9A3C1D3A0F,SHA256=49DEFCA0C1B74B4F75277E620BEE46812875CC69298FABE2DA69DF294A64BD3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007807Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:11.132{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78BAB076C454748FD39716A3D40440C8,SHA256=EDB8CAED45A4B7E2C5F4A45518D67FF053A3F630354FD892EB690A912EE9F9F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023355Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:12.520{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1EF41A18BB86F99B6E74F0131443C78,SHA256=705FC38DF2A4A13DD320797236F492821A25FFECE6DB594ADB8A1377C8F644F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007809Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:12.132{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F1619981C50EF6BB6C5A9E7DDB4E9FA,SHA256=1A2871B27CB4E33289C464202013964C3B70421E50C9747EEFF4DE74C5729C24,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007808Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:10.087{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49913-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 13241300x800000000000000023357Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:44:13.755{6EDEAD03-FC1D-615B-1100-00000000FB01}480C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b9bc-0xcac402ab) 23542300x800000000000000023356Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:13.645{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA98BA208B5531AC40137626770B7A73,SHA256=E74FE046360879DDE44F52FA7BCB1D3F207C9E5AF62FA51FD04C58B4F749ABFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007810Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:13.132{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8ADE48FC6AA6432A9DA5EB7290DB5B6,SHA256=F143A88BCDAB51F6403219A5AB8B225A28004BA4118C63D9B2644DA989DAF8B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023358Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:14.739{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A21BCFA862D14DF7034EDA2C4CCB1F81,SHA256=5B2A56CA5BDB3B8D2ECF54100329AB6DEA1F85CDC5CF5C06DB56F8C8A1419265,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007811Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:14.132{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63704E071D23B60C62E94F3EC1C3FDD9,SHA256=82E73F82D85F84D4C73B067F080F7DCB4B813C1BBA3EB8FBDAC6374DF5CDBDAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023360Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:15.958{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30416FB675152E9C71AD67D39DA6C902,SHA256=11B7E6D66784047302D7F2D9D60C8FD8F771FD69E7F547A02F0FA583809E0607,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007812Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:15.132{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2D979E9117B430D2E9747B6A760BCF0,SHA256=8EDDFCA9CB1C7F3ABE647F509BB9E4A41FFB9C860852E09AE53CB48B83A03ACF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023359Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:13.860{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61963-false10.0.1.12-8000- 23542300x80000000000000007813Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:16.132{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1214879DF1B71C185236847D94F2C32D,SHA256=546B9E46240AF5D7A29285C324F11D8B8C1229E000DDBF4A82E4888D5F1A423E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007814Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:17.148{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65604AE47152A7CEF11CF9DEDBA9F21B,SHA256=05138DBE49CC8E589175A31BE3976466FA376B759E6B0A3DBDA391A52597EC57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023363Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:17.348{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9B455C556C5324C8793763354AAFEF74,SHA256=20ECA5289E7E0F8E8F418E237A000D47BA55C77A77D49658FF71A4D705E8F461,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023362Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:17.348{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8A471479466701195F7FBE6CC1E18D73,SHA256=EE6DE67BED8D8B4CEABF3368481F11D7359199B7FD2B7D6B03B8FB1B710DF126,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023361Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:17.005{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A062CE8992AD7C83E3D4A9C0D379D400,SHA256=B7A3A46C436E4DF23D29982CA513F1189C352F75DA23500DB7D171A1266EC22C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007816Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:16.118{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49914-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000007815Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:18.162{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=132C80C2B49D963FACDB6A0AC72B44A4,SHA256=DED941BACF91DE9EF77FED034F302BD704A807638E50188A750C78BEFDA00731,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023366Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:15.923{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local61964-true0:0:0:0:0:0:0:1win-dc-676.attackrange.local389ldap 354300x800000000000000023365Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:15.923{6EDEAD03-FC2A-615B-2900-00000000FB01}2912C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local61964-true0:0:0:0:0:0:0:1win-dc-676.attackrange.local389ldap 23542300x800000000000000023364Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:18.019{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F51BFF114A9DE122DEEBC1CA286F2CA,SHA256=43D59BDBDAC365C081F908676CB41882C2526D1B7961376A7947D601F0259540,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007817Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:19.162{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EB39A82B18FCCC1A41CC2498F75553D,SHA256=D04BE7968DFBA01556FE81E8EBEBE2635B166E17FFDB5ADCD101FF7E9D9306A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023367Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:19.035{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=664CD6A1CF34460115DF73CC6C170D6E,SHA256=5A6AFAA33984D5A2A7FC1C2FC5B66DCAF3290AF1A35A6454598B35E66D6D7449,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007818Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:20.162{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A0146F34A137F5B7DC841BF31A4E61A,SHA256=285C41A4096262E9161DC765A2238DC19469413F9C6FE42334675AC373381D6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023368Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:20.035{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD24897BE8516C0EAE30BED7C5D6B5F0,SHA256=7BAA6258DB1F38882E5827E8433B135181E6B7A3ED60510D7A68D890D9C04149,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007819Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:21.178{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBDC053A017C8BA812DE54982B1822F9,SHA256=C5C37495BBB21579EBD0142759263D5D4DD7B1BB00D718A6B70684CD49771EC9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023370Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:19.843{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61965-false10.0.1.12-8000- 23542300x800000000000000023369Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:21.050{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5E4E64B299008DC57CE2149F8A770EB,SHA256=BFA24B6369CC07F54F9F0177FE4A47C95C39B1498D49232FA973A33CAA366FEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007820Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:22.178{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AB8B16CC48D4357F171C74B21A26709,SHA256=276702B7300056F923C30D12EFD2106EC3634EE3EBF4409E47C8DD4C4860A2E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023371Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:22.066{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=504A349D99538135039B92BCC31B2166,SHA256=FE17F89CCF5776593670ED8AE35071954B69ABAE874CFA53887EDA34F4F13972,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007821Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:23.178{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4296EEBEABC440D4C3F914E71337AF0,SHA256=48D8F2DAA9F5A22668A5147667FC9AE183690028942C85D67E9CDEB65DC7829C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023372Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:23.097{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=718FB2B715FAC3C33D321D28F8236BFE,SHA256=229EB2D36AE1D9D9918166C0C4B3B5BC9D5C0E9600A2ED219B304A8B234634D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007823Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:22.070{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49915-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000007822Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:24.193{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C43461345C049A369016BCC22365C044,SHA256=E705E3ACC61AAA3CA68227FBFB5048D76619C6655D440418CDDC1EAD01AA83D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023373Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:24.097{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F211E3545A1D83AA56706A053A65248,SHA256=69246323177E37CEC1BDA805F7C458D022715F40A00725214206FD021D50BD59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007824Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:25.193{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A644FEA4253200824F5223D1F65FE2B1,SHA256=A7F8A869CFC145447F33E1A3F4A476AC84151998B4F8DD83C49C381E21526353,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023374Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:25.206{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D511B4ACAF37D7B9635E804C085218E9,SHA256=52E145F765233117F6BF835162ECFB7DB65240917EF06B1B8DDDADF6A0EA9942,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007825Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:26.194{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCFE4AB8B02E738B3FB47B0CA8F3EE70,SHA256=9827C04657C79E0D9CA0C5CAC6DA5B7B186F5B1EF2A686839AED3FF25B1F0133,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023375Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:26.206{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57B77DF91FA57C9FEA5E379301A1384A,SHA256=311D56101CBC0172394B164882F6ECEB62F027FAEA7B6187A959B5324EC70AB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007826Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:27.256{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=429323AD474A0A92D1A41D0050E5AD59,SHA256=2C14A6CFD22A4A5DCCDBC4AA61AC46143600CBCB63C5C6DCD53CDD1E8CEC9905,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023377Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:25.626{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61966-false10.0.1.12-8000- 23542300x800000000000000023376Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:27.222{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C36EFE8E65871CB8215CB29CE0466A59,SHA256=1A32ED24878004FC402F4B5A1CD756EAE89157ED96E2CB04AE9688B5C9E013BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007827Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:28.272{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84D23B57F58445E2921BC34AE1333BFA,SHA256=052229148D0C346EAE6C54DD996670B96E4D835194651BFB719472BDDDD2DF12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023378Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:28.253{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C653E9A47B2532F4F0E1EE8A7841934,SHA256=CCAD7DC23E5906B5833AE09BAD45C38A95E880DF7F0DF9977D74B2089E883A19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007828Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:29.381{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02E5186D80D91712E7C12971343C8244,SHA256=68F2FC75C5D4AB14F1288268ED2D6D148CD3652FA8374865B71803D99B89BED5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023379Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:29.269{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3D94442DF4B20C39A90AAE9D127F78E,SHA256=BE18F07662602A4A4BF184DC34497DC7EDC28D4E53A8A73DFEFA61D3947E0602,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007830Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:30.522{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=850B8246C275092F7DF19FEAE1FABA4B,SHA256=39F92962FBEB6C2C7134CD8A5CC6CD13ED56D77A592C099A750BEF202C1702E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023380Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:30.269{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2B99B2BE0AD23EC063B45FC12D1808B,SHA256=1E5F29624E24FA66F97A71B90F49A043525A521BEA5039CE7ED4577905AD9743,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007829Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:28.101{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49916-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000007831Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:31.537{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96A15A17D591258AFE03174C7B6063F9,SHA256=C00C427370E74549D9FFA464B3630CB5D981F083AE578A69F9DE7BA3F6A4FAE3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023382Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:31.847{6EDEAD03-FF62-615B-F102-00000000FB01}49805088C:\Windows\System32\taskhostw.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000023381Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:31.300{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84D4A9A80AFD48AB675EBEEF38939AF8,SHA256=C346FC88219FA740E48C549505B11E7DB1F67D7BC11F45C23BC464AB47EE82C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007833Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:32.772{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=103D6241815B2CA4E10F2CFB9C5CAB00,SHA256=C6A6DE82EFAE658F76FCDFA11B21D8B621DD7160DE182B351228A42BB2A2A900,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023383Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:32.300{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3155B637AAA5B8817E861673851D6CA4,SHA256=87872AD164977B2134214857351CB60EC79BFD4B634FBB67C2C9F4958C9E50AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007832Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:32.178{49C67628-FDEB-615B-1100-00000000FC01}964NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=31B347BCFD55B0676B5004C7B7B24A86,SHA256=95D5A5212E81E21FB31C8677F3082B601BC6CDCA2E87274432C5E43AF049A120,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007834Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:33.928{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B564380966793841EB166CFEDD370246,SHA256=5A5BADFEC2A906A1E90EB0260717D551A1A63462F31DCC6BBD7265A45E4B6AA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023385Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:33.331{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4252A38DF68D7A56A4339DE4BB1EEDD4,SHA256=A67D67EDAB5D6418CFF5405F148B64C9E514A90F012B2664548DB3176A268CD7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023384Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:30.703{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61967-false10.0.1.12-8000- 23542300x80000000000000007836Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:34.959{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12676241D8F6AD849DFA42C2311C6129,SHA256=6F6F73CA03272BD5337AD8C31798AFD19F3B3936CA6471C75997F35DF9D9FE84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023386Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:34.363{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E40C48CC49FDB3D9EBDB64867FFA81F0,SHA256=86C96E8BA64614CE0E88CEED8305E84616F6E530ED45B78C934AF3DA4BA8A327,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007835Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:33.273{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49917-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000023387Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:35.378{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5218008E0FC3D3BA01A55D8F6760D5C1,SHA256=9EB34B51C606B750E576363938D1B7C33D30C95095DF4A0F1D1401A8EB6F6402,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023388Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:36.394{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1A58F679C9489D9DC05D642D74072A0,SHA256=867E5590F0E6AD002B4A08D4F4937013EBCE2720507D8A0A8A11DAEA5208A628,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007837Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:36.178{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BA63A4949F0B0459C21A268F657BFD6,SHA256=4CED1247B46912EC381212E023E72DADFAADA6E2EEB42055630774469E44044E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023390Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:35.797{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61968-false10.0.1.12-8000- 23542300x800000000000000023389Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:37.425{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E638FEFA7835C6D4D78AB217A495DE1,SHA256=C82FE330A3B85F46EB8F8CC50144BE93200BE30B7833C797C6A016392872ACED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007838Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:37.272{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60380F4F124DD1768262CD59B250D26C,SHA256=2525E25CE719B46F310ABD865A99E994EAD61508D0075C83E7DA53BA1E08F757,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023392Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:38.790{6EDEAD03-FCBF-615B-AF00-00000000FB01}416NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=77A3FAE6E3D081057742F67BE17D48F0,SHA256=B45196262D41012541FDA928C2D6D89C531ACA10A8054FE8E2047913CDE27561,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023391Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:38.430{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=112CA0E01ED1E956BF7ABA35D0856DD6,SHA256=1F5F171A3433CCCAF8E6CEEAEE03A89395D6F2EFC667AD1ABD8DAEE294C3C754,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007839Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:38.277{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8742C56AE6EA187A95B86D696E42006,SHA256=44E2BA42B2C4FCE8503A844205A2E0C7638A41832C5F700F8E8D3B219740D65C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023393Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:39.462{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92EF8CA7A2E3BC6B5FA0409A57DDD5E4,SHA256=DCD21C2725F0265F38E4DA33B7F65F2D1EA7F0E8F2CF20989F1C22F06ABF8E0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007840Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:39.293{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01C830FA8A23C3BB603261AC8E88BCBE,SHA256=2E6F0A3CD03E8CB7A5D9301664A4CB1ABAF1C37D7BA46B0840C0CC6863E5D4A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023410Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:40.993{6EDEAD03-FC1D-615B-0C00-00000000FB01}848988C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023409Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:40.993{6EDEAD03-FC1D-615B-0C00-00000000FB01}848988C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023408Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:40.993{6EDEAD03-FC1D-615B-0C00-00000000FB01}848988C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023407Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:40.993{6EDEAD03-FC1D-615B-0C00-00000000FB01}848988C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023406Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:40.993{6EDEAD03-FC1A-615B-0500-00000000FB01}4122304C:\Windows\system32\csrss.exe{6EDEAD03-0268-615C-2C05-00000000FB01}6364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023405Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:40.993{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-0268-615C-2C05-00000000FB01}6364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000023404Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:40.994{6EDEAD03-0268-615C-2C05-00000000FB01}6364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000023403Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:40.477{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=759D21C2A1533CCF19AF4847B9F2013D,SHA256=2B1C92D366DA0B06A2EE103E329E10066DEDE807D23B54BF2559FE1C6F21440A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007842Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:39.201{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49918-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000007841Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:40.293{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0919D808E4BFDCA0E00D0DA49B00B913,SHA256=A95D547337C9E77B3C688CFD81DDE0A2B2214BF11A97E9FA08E4641ACDA42042,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023402Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:40.352{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-0268-615C-2B05-00000000FB01}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023401Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:40.352{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023400Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:40.352{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023399Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:40.352{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023398Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:40.352{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023397Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:40.352{6EDEAD03-FC1A-615B-0500-00000000FB01}412428C:\Windows\system32\csrss.exe{6EDEAD03-0268-615C-2B05-00000000FB01}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023396Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:40.352{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-0268-615C-2B05-00000000FB01}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000023395Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:40.353{6EDEAD03-0268-615C-2B05-00000000FB01}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000023394Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:38.380{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61969-false10.0.1.12-8089- 23542300x800000000000000023423Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:41.633{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26545CF543AB898D9118D6439600068A,SHA256=274F16361C1E3FA90077F07A78C233B5EBAEC49D2D7BD3300A657F0E07EABCD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007843Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:41.293{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D9EE7D03BCEF41FB4A5DC6F7C244110,SHA256=32F57DC5017FA4806F0DD2C7A5617A0B5FD144F1E629C54136D7DF14F4C7F755,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023422Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:41.618{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-0269-615C-2D05-00000000FB01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023421Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:41.618{6EDEAD03-FC1D-615B-0C00-00000000FB01}848988C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023420Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:41.618{6EDEAD03-FC1D-615B-0C00-00000000FB01}848988C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023419Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:41.618{6EDEAD03-FC1D-615B-0C00-00000000FB01}848988C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023418Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:41.618{6EDEAD03-FC1D-615B-0C00-00000000FB01}848988C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023417Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:41.618{6EDEAD03-FC1A-615B-0500-00000000FB01}412428C:\Windows\system32\csrss.exe{6EDEAD03-0269-615C-2D05-00000000FB01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023416Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:41.618{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-0269-615C-2D05-00000000FB01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000023415Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:41.619{6EDEAD03-0269-615C-2D05-00000000FB01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000023414Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:41.368{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=97660E12A5DB2CEC555060373D3D8699,SHA256=546783AD95BB2AC606A72123F68A9C41256654BD334B275C149D90536989557E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023413Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:41.368{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9B455C556C5324C8793763354AAFEF74,SHA256=20ECA5289E7E0F8E8F418E237A000D47BA55C77A77D49658FF71A4D705E8F461,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023412Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:41.196{6EDEAD03-0268-615C-2C05-00000000FB01}63644612C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023411Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:40.993{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-0268-615C-2C05-00000000FB01}6364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023434Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:42.821{6EDEAD03-026A-615C-2E05-00000000FB01}49646456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000023433Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:42.712{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A0C690F5D89C69AAE57DB612D2F9457,SHA256=B56BE4C4AC0000FB29307E8EE00BB426C4BF5818914DFE21A3682A6AE78054FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007844Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:42.293{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC7A2DCB3A52B95B74BEE1B88E22DF93,SHA256=5B80871A2917FE8E664BC104E61CB01769784F0323D989C81819E8275CD09161,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023432Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:42.633{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=97660E12A5DB2CEC555060373D3D8699,SHA256=546783AD95BB2AC606A72123F68A9C41256654BD334B275C149D90536989557E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023431Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:42.571{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-026A-615C-2E05-00000000FB01}4964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023430Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:42.571{6EDEAD03-FC1D-615B-0C00-00000000FB01}848988C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023429Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:42.571{6EDEAD03-FC1D-615B-0C00-00000000FB01}848988C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023428Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:42.571{6EDEAD03-FC1D-615B-0C00-00000000FB01}848988C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023427Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:42.571{6EDEAD03-FC1D-615B-0C00-00000000FB01}848988C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023426Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:42.571{6EDEAD03-FC1A-615B-0500-00000000FB01}4122304C:\Windows\system32\csrss.exe{6EDEAD03-026A-615C-2E05-00000000FB01}4964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023425Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:42.571{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-026A-615C-2E05-00000000FB01}4964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000023424Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:42.572{6EDEAD03-026A-615C-2E05-00000000FB01}4964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000023453Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:43.917{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-026B-615C-3005-00000000FB01}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023452Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:43.917{6EDEAD03-FC1D-615B-0C00-00000000FB01}848988C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023451Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:43.917{6EDEAD03-FC1D-615B-0C00-00000000FB01}848988C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023450Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:43.917{6EDEAD03-FC1D-615B-0C00-00000000FB01}848988C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023449Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:43.917{6EDEAD03-FC1D-615B-0C00-00000000FB01}848988C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023448Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:43.917{6EDEAD03-FC1A-615B-0500-00000000FB01}412428C:\Windows\system32\csrss.exe{6EDEAD03-026B-615C-3005-00000000FB01}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023447Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:43.917{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-026B-615C-3005-00000000FB01}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000023446Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:43.919{6EDEAD03-026B-615C-3005-00000000FB01}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000023445Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:43.714{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7369150FE207073E484AB15A7996A42B,SHA256=A99ABE93B972C38D70C5761EF3533CC6562B169945ADE0D8D856BD0C267318C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007846Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:43.293{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8181AD4DAF292C8EA0A34A6E30DDBFE5,SHA256=AC58FA0E82623A281B942B0E9720142DBF1AD85E0C3F2BD399FC3E199A2CF06F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023444Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:43.451{6EDEAD03-FC2A-615B-3000-00000000FB01}2280NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00ade5b11017bd16f\channels\health\respondent-20211005071805-025MD5=AA6F78CCC35FD74424B933C975A9F779,SHA256=482DFC86E7C4A11E76E3E352EB64B396C84C083D9F57F37823883232EC55A225,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023443Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:43.246{6EDEAD03-026B-615C-2F05-00000000FB01}70407100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023442Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:43.074{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-026B-615C-2F05-00000000FB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023441Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:43.074{6EDEAD03-FC1D-615B-0C00-00000000FB01}848988C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023440Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:43.074{6EDEAD03-FC1D-615B-0C00-00000000FB01}848988C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023439Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:43.074{6EDEAD03-FC1D-615B-0C00-00000000FB01}848988C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023438Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:43.074{6EDEAD03-FC1D-615B-0C00-00000000FB01}848988C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023437Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:43.074{6EDEAD03-FC1A-615B-0500-00000000FB01}4122304C:\Windows\system32\csrss.exe{6EDEAD03-026B-615C-2F05-00000000FB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023436Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:43.074{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-026B-615C-2F05-00000000FB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000023435Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:43.075{6EDEAD03-026B-615C-2F05-00000000FB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007845Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:43.090{49C67628-FE68-615B-9F00-00000000FC01}1772NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=77A3FAE6E3D081057742F67BE17D48F0,SHA256=B45196262D41012541FDA928C2D6D89C531ACA10A8054FE8E2047913CDE27561,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023497Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:44.920{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6E-615B-2103-00000000FB01}5980C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023496Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:44.920{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6E-615B-2103-00000000FB01}5980C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023495Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:44.920{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6E-615B-2103-00000000FB01}5980C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023494Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:44.920{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6E-615B-2103-00000000FB01}5980C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023493Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:44.920{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6E-615B-2103-00000000FB01}5980C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023492Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:44.920{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6E-615B-2103-00000000FB01}5980C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023491Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:44.920{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6E-615B-2103-00000000FB01}5980C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023490Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:44.920{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6E-615B-2103-00000000FB01}5980C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023489Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:44.920{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023488Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:44.920{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023487Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:44.920{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023486Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:44.920{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023485Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:44.920{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023484Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:44.920{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023483Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:44.920{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023482Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:44.920{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023481Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:44.920{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023480Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:44.920{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023479Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:44.920{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023478Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:44.920{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023477Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:44.920{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023476Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:44.920{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023475Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:44.920{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023474Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:44.920{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023473Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:44.920{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023472Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:44.920{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023471Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:44.920{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023470Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:44.920{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023469Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:44.920{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023468Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:44.920{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FC1D-615B-1100-00000000FB01}480C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023467Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:44.920{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FC1D-615B-1100-00000000FB01}480C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000023466Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:44.779{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B93AFF275AA0D345AFB250D951C912E,SHA256=9D2BAE59917B10F6115924B8FC0DFE6A0B35C73E484D44B3F36D3EF2CBE80D99,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007861Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:43.107{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49919-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 10341000x80000000000000007860Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:44.793{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-026C-615C-5C01-00000000FC01}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007859Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:44.793{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007858Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:44.793{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007857Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:44.793{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007856Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:44.793{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007855Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:44.793{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007854Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:44.793{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007853Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:44.793{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007852Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:44.793{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007851Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:44.793{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007850Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:44.793{49C67628-FDEB-615B-0500-00000000FC01}4161032C:\Windows\system32\csrss.exe{49C67628-026C-615C-5C01-00000000FC01}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007849Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:44.793{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-026C-615C-5C01-00000000FC01}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007848Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:44.794{49C67628-026C-615C-5C01-00000000FC01}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007847Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:44.309{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E33B85298A87CA067226B5E013A14077,SHA256=B0F458231D9A3DC61F0BDD1C4D5A31F04FBEEFA0F3D355A9A4BA9A4AED755C03,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023465Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:44.592{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-026C-615C-3105-00000000FB01}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023464Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:44.592{6EDEAD03-FC1D-615B-0C00-00000000FB01}848988C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023463Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:44.592{6EDEAD03-FC1D-615B-0C00-00000000FB01}848988C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023462Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:44.592{6EDEAD03-FC1D-615B-0C00-00000000FB01}848988C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023461Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:44.592{6EDEAD03-FC1D-615B-0C00-00000000FB01}848988C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023460Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:44.592{6EDEAD03-FC1A-615B-0500-00000000FB01}4122304C:\Windows\system32\csrss.exe{6EDEAD03-026C-615C-3105-00000000FB01}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023459Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:44.592{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-026C-615C-3105-00000000FB01}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000023458Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:44.592{6EDEAD03-026C-615C-3105-00000000FB01}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000023457Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:44.466{6EDEAD03-FC2A-615B-3000-00000000FB01}2280NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00ade5b11017bd16f\channels\health\surveyor-20211005071802-026MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023456Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:41.802{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61970-false10.0.1.12-8000- 10341000x800000000000000023455Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:44.121{6EDEAD03-026B-615C-3005-00000000FB01}70644720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000023454Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:44.089{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F09F8DD1FF28678DAD47C08A3092D791,SHA256=C7F4B6EC8D34E6EFEEB7DE18FE4B0CB4C83DFDA9F83D2CF26F591C2A1FAFB160,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023499Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:45.878{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C5527CB36BFC33C6D96882FBE89BFA3,SHA256=BE8DFF0C2E928110F1919704372F1DD2369A6D1F3E3254EBCF2D2372570A747F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007878Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:45.902{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=731640C387FD951D349CBBBC70CFEAF0,SHA256=C98AB1AE0572EE849AE4AB1FB34F0C0FF6C20E12256380695EFEB4F1A1E84326,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007877Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:45.902{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E670113ACEBEBF4CB90D62DAE9F3D4E4,SHA256=C823C5A1ADEB2CEC81B57577946863F0A881FEB99B8A15980E0A0060681F5631,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007876Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:45.637{49C67628-026D-615C-5D01-00000000FC01}28003608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007875Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:45.465{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-026D-615C-5D01-00000000FC01}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007874Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:45.465{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007873Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:45.465{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007872Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:45.465{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007871Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:45.465{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007870Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:45.465{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007869Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:45.465{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007868Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:45.465{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007867Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:45.465{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007866Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:45.465{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007865Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:45.465{49C67628-FDEB-615B-0500-00000000FC01}416432C:\Windows\system32\csrss.exe{49C67628-026D-615C-5D01-00000000FC01}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007864Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:45.465{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-026D-615C-5D01-00000000FC01}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007863Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:45.466{49C67628-026D-615C-5D01-00000000FC01}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007862Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:45.309{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8297F4344E7F283ECDC8006BA4D9F73,SHA256=E0CC08C009A3642048579D82137C78E7F36C041F5943B5B6461D702ACDF561E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023498Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:45.613{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B241E9E1C7C4B236D40E57279CAF3D4,SHA256=30F34E90E02E43774DC40316CAAF8D163CBFA516B4BDA53CE7234BA5E6796D4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023500Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:46.894{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA35D00F2C64E7048E2FE46B86C5CFC6,SHA256=1B2B34AC1EA1DA5F654C64B489C9EDD1402AD99D57BA03FE4F1EC0D0C718B442,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007893Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:45.138{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49920-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000007892Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:46.574{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB2DA1CB988D69CD3FA63BFCA9BE12BA,SHA256=ABBC13D5787B757584DAF8E1597A3569867A8A27CFB8C19BAE2AA1ADD4CDA44F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007891Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:46.137{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-026E-615C-5E01-00000000FC01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007890Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:46.137{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007889Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:46.137{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007888Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:46.137{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007887Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:46.137{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007886Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:46.137{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007885Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:46.137{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007884Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:46.137{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007883Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:46.137{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007882Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:46.137{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007881Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:46.137{49C67628-FDEB-615B-0500-00000000FC01}416532C:\Windows\system32\csrss.exe{49C67628-026E-615C-5E01-00000000FC01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007880Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:46.137{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-026E-615C-5E01-00000000FC01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007879Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:46.137{49C67628-026E-615C-5E01-00000000FC01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007909Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:47.668{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F0E2932DB743AFDA753FF202D61C783,SHA256=AD9D19E32FC262EE6DB7E2A414A80CBB9618E3B53132A92C62C75A5FF2CFEC9C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007908Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:47.215{49C67628-026F-615C-5F01-00000000FC01}30562064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007907Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:47.152{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=731640C387FD951D349CBBBC70CFEAF0,SHA256=C98AB1AE0572EE849AE4AB1FB34F0C0FF6C20E12256380695EFEB4F1A1E84326,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007906Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:47.060{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-026F-615C-5F01-00000000FC01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007905Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:47.060{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007904Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:47.060{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007903Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:47.060{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007902Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:47.060{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007901Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:47.060{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007900Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:47.060{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007899Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:47.060{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007898Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:47.060{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007897Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:47.060{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007896Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:47.060{49C67628-FDEB-615B-0500-00000000FC01}416532C:\Windows\system32\csrss.exe{49C67628-026F-615C-5F01-00000000FC01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007895Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:47.060{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-026F-615C-5F01-00000000FC01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007894Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:47.061{49C67628-026F-615C-5F01-00000000FC01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000007937Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:48.965{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-0270-615C-6101-00000000FC01}3500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007936Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:48.965{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007935Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:48.965{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007934Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:48.965{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007933Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:48.965{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007932Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:48.965{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007931Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:48.965{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007930Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:48.965{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007929Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:48.965{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007928Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:48.965{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007927Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:48.965{49C67628-FDEB-615B-0500-00000000FC01}4161032C:\Windows\system32\csrss.exe{49C67628-0270-615C-6101-00000000FC01}3500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007926Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:48.965{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-0270-615C-6101-00000000FC01}3500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007925Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:48.966{49C67628-0270-615C-6101-00000000FC01}3500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007924Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:48.668{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FF2D75B402AE34845CB1DA75F953309,SHA256=C27F6C9EF72983F9C02656D8749BE24BA58B6A7E0E64C2C4AF390A59587720A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023501Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:48.019{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9291DB2261D47D802ABA3769F7BFDB56,SHA256=9A80D3447C507F96478BD9CE6B4EE866C967FF0430FBD07DE3C4D4974F02578E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007923Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:48.449{49C67628-0270-615C-6001-00000000FC01}32802492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007922Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:48.293{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-0270-615C-6001-00000000FC01}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007921Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:48.293{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007920Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:48.293{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007919Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:48.293{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007918Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:48.293{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007917Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:48.293{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007916Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:48.293{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007915Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:48.293{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007914Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:48.293{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007913Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:48.293{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007912Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:48.293{49C67628-FDEB-615B-0500-00000000FC01}4161032C:\Windows\system32\csrss.exe{49C67628-0270-615C-6001-00000000FC01}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007911Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:48.293{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-0270-615C-6001-00000000FC01}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007910Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:48.294{49C67628-0270-615C-6001-00000000FC01}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000007953Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:49.715{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-0271-615C-6201-00000000FC01}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007952Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:49.715{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007951Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:49.715{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007950Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:49.715{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007949Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:49.715{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007948Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:49.715{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007947Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:49.715{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007946Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:49.715{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007945Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:49.715{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007944Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:49.715{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007943Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:49.715{49C67628-FDEB-615B-0500-00000000FC01}4161032C:\Windows\system32\csrss.exe{49C67628-0271-615C-6201-00000000FC01}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007942Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:49.715{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-0271-615C-6201-00000000FC01}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007941Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:49.715{49C67628-0271-615C-6201-00000000FC01}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007940Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:49.699{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AE4CF51376ADE5A34D5C19EC0E86A24,SHA256=60F3FD8CC8353D56B17FF4DC20545FCB2C4B53EAB376EDD2FD7A7F8CE7B68D53,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023508Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:46.812{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61971-false10.0.1.12-8000- 13241300x800000000000000023507Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:44:49.191{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXEHKU\S-1-5-21-1984405510-3441252591-1346373189-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE} {00000122-0000-0000-C000-000000000046} 0xFFFFBinary Data 13241300x800000000000000023506Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:44:49.176{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXEHKU\S-1-5-21-1984405510-3441252591-1346373189-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{ECF03A32-103D-11D2-854D-006008059367} {00000122-0000-0000-C000-000000000046} 0xFFFFBinary Data 13241300x800000000000000023505Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:44:49.160{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXEHKU\S-1-5-21-1984405510-3441252591-1346373189-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE} {00000122-0000-0000-C000-000000000046} 0xFFFFBinary Data 13241300x800000000000000023504Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:44:49.128{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXEHKU\S-1-5-21-1984405510-3441252591-1346373189-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{888DCA60-FC0A-11CF-8F0F-00C04FD7D062} {00000122-0000-0000-C000-000000000046} 0xFFFFBinary Data 23542300x800000000000000023503Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:49.081{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB37A076A5EE858BFE4F4603F370DCAB,SHA256=49075CA2B01ACEBC1DC1E98DAD58C31F61CDBC0D617198D9B92760858B471C1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007939Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:49.309{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2102A531DD6C4B94B46C447D01D4B493,SHA256=2BF1D2476CF34FB5CA48306B6EFA29433175634594A11BEA280275C92DECFDB7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007938Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:49.246{49C67628-0270-615C-6101-00000000FC01}35001612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000023502Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:44:49.019{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXEHKU\S-1-5-21-1984405510-3441252591-1346373189-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{B298D29A-A6ED-11DE-BA8C-A68E55D89593} {000214E4-0000-0000-C000-000000000046} 0xFFFFBinary Data 23542300x80000000000000007955Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:50.934{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DDFDD969D845530ACF59C85E33EB10D,SHA256=D9DEDDBB8C0933CAA1F963FDF689B81724479965D15CC269D9A70B028B526FEE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023546Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:50.816{6EDEAD03-FF62-615B-F802-00000000FB01}50525772C:\Windows\Explorer.EXE{6EDEAD03-0272-615C-3205-00000000FB01}5632C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023545Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:50.816{6EDEAD03-FF62-615B-F802-00000000FB01}50525772C:\Windows\Explorer.EXE{6EDEAD03-0272-615C-3205-00000000FB01}5632C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023544Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:50.816{6EDEAD03-FF62-615B-F802-00000000FB01}50525772C:\Windows\Explorer.EXE{6EDEAD03-0272-615C-3205-00000000FB01}5632C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023543Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:50.816{6EDEAD03-FF62-615B-F802-00000000FB01}50525760C:\Windows\Explorer.EXE{6EDEAD03-0272-615C-3205-00000000FB01}5632C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023542Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:50.816{6EDEAD03-FF62-615B-F802-00000000FB01}50525760C:\Windows\Explorer.EXE{6EDEAD03-0272-615C-3205-00000000FB01}5632C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023541Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:50.816{6EDEAD03-FF62-615B-F802-00000000FB01}50525760C:\Windows\Explorer.EXE{6EDEAD03-0272-615C-3205-00000000FB01}5632C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023540Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:50.816{6EDEAD03-FF62-615B-F802-00000000FB01}50525760C:\Windows\Explorer.EXE{6EDEAD03-0272-615C-3205-00000000FB01}5632C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023539Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:50.550{6EDEAD03-FF62-615B-F102-00000000FB01}49805088C:\Windows\System32\taskhostw.exe{6EDEAD03-0272-615C-3205-00000000FB01}5632C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023538Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:50.550{6EDEAD03-FF62-615B-F102-00000000FB01}49805088C:\Windows\System32\taskhostw.exe{6EDEAD03-0272-615C-3205-00000000FB01}5632C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023537Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:50.535{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-0272-615C-3205-00000000FB01}5632C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023536Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:50.535{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-0272-615C-3205-00000000FB01}5632C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023535Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:50.535{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-0272-615C-3205-00000000FB01}5632C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023534Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:50.535{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-0272-615C-3205-00000000FB01}5632C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023533Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:50.456{6EDEAD03-FC1B-615B-0B00-00000000FB01}6364472C:\Windows\system32\lsass.exe{6EDEAD03-0272-615C-3305-00000000FB01}5764C:\Program Files\Notepad++\updater\gup.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023532Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:50.456{6EDEAD03-FC1B-615B-0B00-00000000FB01}6364472C:\Windows\system32\lsass.exe{6EDEAD03-0272-615C-3305-00000000FB01}5764C:\Program Files\Notepad++\updater\gup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000023531Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:50.410{6EDEAD03-FC1D-615B-1200-00000000FB01}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=B26430E4140DDD41B68BA0BA2158A08C,SHA256=E438FD60674ECBD92DAC32B9427220EA6822B74E0D97652631C71511934F05EE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023530Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:48.649{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61972-false93.184.220.29-80http 10341000x800000000000000023529Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:50.363{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-0272-615C-3205-00000000FB01}5632C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023528Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:50.331{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023527Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:50.331{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023526Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:50.331{6EDEAD03-FF5F-615B-E202-00000000FB01}9724272C:\Windows\system32\csrss.exe{6EDEAD03-0272-615C-3305-00000000FB01}5764C:\Program Files\Notepad++\updater\gup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023525Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:50.331{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023524Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:50.331{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023523Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:50.331{6EDEAD03-0272-615C-3205-00000000FB01}56325560C:\Program Files\Notepad++\notepad++.exe{6EDEAD03-0272-615C-3305-00000000FB01}5764C:\Program Files\Notepad++\updater\gup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\SHELL32.dll+3ccff|C:\Windows\System32\SHELL32.dll+3cb8c|C:\Windows\System32\SHELL32.dll+3c8dc|C:\Windows\System32\SHELL32.dll+e2157|C:\Windows\System32\SHELL32.dll+e20b5|C:\Windows\System32\SHELL32.dll+13b14b|C:\Program Files\Notepad++\notepad++.exe+248e19|C:\Program Files\Notepad++\notepad++.exe+29b489|C:\Program Files\Notepad++\notepad++.exe+2cd446|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000023522Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:50.327{6EDEAD03-0272-615C-3305-00000000FB01}5764C:\Program Files\Notepad++\updater\GUP.exe5.2WinGup for Notepad++WinGup for Notepad++Don HO don.h@free.frgup.exe"C:\Program Files\Notepad++\updater\gup.exe" -v8.15 -px64C:\Program Files\Notepad++\updater\ATTACKRANGE\Administrator{6EDEAD03-FF61-615B-7756-1D0000000000}0x1d56772HighMD5=F798334C9C79EF33D7735556667F68AF,SHA256=CC1955AC4925C6985BCA189D1B08D4A8C372F9A7BFD1459DDF334CE7E9A1DD98,IMPHASH=FC933F2041320B70EF128DD4E38ECA3F{6EDEAD03-0272-615C-3205-00000000FB01}5632C:\Program Files\Notepad++\notepad++.exe"C:\Program Files\Notepad++\notepad++.exe" "C:\Program Files\ansible\AttackRangeSysmon.xml" 10341000x800000000000000023521Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:50.316{6EDEAD03-FC1B-615B-0B00-00000000FB01}636804C:\Windows\system32\lsass.exe{6EDEAD03-0272-615C-3205-00000000FB01}5632C:\Program Files\Notepad++\notepad++.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023520Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:50.316{6EDEAD03-FC1B-615B-0B00-00000000FB01}636804C:\Windows\system32\lsass.exe{6EDEAD03-0272-615C-3205-00000000FB01}5632C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023519Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:50.285{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-0272-615C-3205-00000000FB01}5632C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023518Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:50.285{6EDEAD03-FC1D-615B-1600-00000000FB01}12881440C:\Windows\System32\svchost.exe{6EDEAD03-0272-615C-3205-00000000FB01}5632C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023517Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:50.269{6EDEAD03-FC1D-615B-1600-00000000FB01}12881316C:\Windows\System32\svchost.exe{6EDEAD03-0272-615C-3205-00000000FB01}5632C:\Program Files\Notepad++\notepad++.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000023516Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:50.144{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EF782B427CBE78172B3D63999FC6658,SHA256=FE9A4D803F98D437EC6163D777A6D59854C0C824705C9E1BC2FC8EE6EE400023,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007954Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:50.730{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=06D864D1B373BEF75C7B22E6D7F4C7B3,SHA256=614449A5A2BCE8CA1E0A981F5D602A38C43B1F3EE2E039C3C91AFCFFAE2A76AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023515Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:50.113{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023514Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:50.113{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023513Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:50.113{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023512Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:50.113{6EDEAD03-FF5F-615B-E202-00000000FB01}9723552C:\Windows\system32\csrss.exe{6EDEAD03-0272-615C-3205-00000000FB01}5632C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023511Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:50.113{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023510Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:50.113{6EDEAD03-FF62-615B-F802-00000000FB01}50525728C:\Windows\Explorer.EXE{6EDEAD03-0272-615C-3205-00000000FB01}5632C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Notepad++\NppShell_06.dll+4449|C:\Program Files\Notepad++\NppShell_06.dll+46a6|C:\Windows\System32\SHELL32.dll+80257|C:\Windows\System32\SHELL32.dll+6716e|C:\Windows\System32\SHELL32.dll+17c27c|C:\Windows\System32\SHELL32.dll+19ea38|C:\Windows\System32\SHELL32.dll+284683|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+17c520|C:\Windows\System32\SHELL32.dll+17999e|C:\Windows\System32\SHELL32.dll+736c1|C:\Windows\System32\SHELL32.dll+765a6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53 154100x800000000000000023509Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:50.036{6EDEAD03-0272-615C-3205-00000000FB01}5632C:\Program Files\Notepad++\notepad++.exe8.15Notepad++ : a free (GPL) source code editorNotepad++Don HO don.h@free.frnotepad++.exe"C:\Program Files\Notepad++\notepad++.exe" "C:\Program Files\ansible\AttackRangeSysmon.xml"C:\Windows\system32\ATTACKRANGE\Administrator{6EDEAD03-FF61-615B-7756-1D0000000000}0x1d56772HighMD5=FFA5A4D514D5C6C8941F27AE70F5153F,SHA256=D8796686D89D91895EB4D9DA7B7927CCB6EEA60563E7CA1B5BE752938BDC56C8,IMPHASH=4E6B94197F3543B5F40334E36F4E7385{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x800000000000000023549Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:51.581{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D083022D0EFC1C0F2CB42DC53D895157,SHA256=8D1751FAC7409CE44730B79DA06C7B0550420F60E0F0001951274F8F7ACF68AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023548Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:51.581{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F38A696F544E357837348A21AB039D4,SHA256=85C0D383D1F3931AFD8D1DD86EDEC85C6A347FDA6A6B85C8AC794B8D43F20472,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023547Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:51.581{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BF8931AFC539D94BEB114F7DD7477AEE,SHA256=B08B0E38845D360579D412A422DBA8F244B2383C745E46D73C7C189B1A5B051D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023553Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:52.597{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A88C3A24278C72D9CAA84ED432DD3FCE,SHA256=3EFE639CB5E19C5C8446160D9E98E47C8A709083EBB530DFD2B8B7F9AF104C5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007956Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:52.152{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=194F8081F9FE36AFE7403B83A8CF08B2,SHA256=3925EE2BA50F7E166BDDB59A96FEFCC852309DA16741A6F843914A6B2275844E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023552Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:50.050{00000000-0000-0000-0000-000000000000}5764<unknown process>-tcptruefalse10.0.1.14win-dc-676.attackrange.local61973-false172.67.136.69-443https 354300x800000000000000023551Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:50.014{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local62053- 22542200x800000000000000023550Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:50.031{00000000-0000-0000-0000-000000000000}5764notepad-plus-plus.org0::ffff:172.67.136.69;::ffff:104.21.26.128;<unknown process> 23542300x800000000000000023554Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:53.659{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21407C559E1D72C307979FB853D2015E,SHA256=4D5292985A1C97EE251ADFA283C5388CD14202BFE362AD05EE2DB098FEC5FEBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007958Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:53.293{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EBFADBCA87EB9B71361E89DA9B44E8E,SHA256=CB1C1256F265F3EDA917340CCDBF485B600599BBF81E5BDDFC9A878B33A4E4E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007957Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:50.248{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49921-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000023556Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:54.706{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8AD8914FDF4155B7CE21F7810EDA924,SHA256=04C7BB22AB8D3DD238BC203705D1257F2117077BBCBA4F6E95D6D550F1136D93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007959Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:54.324{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC135A614F4C75BD321D2E2213CC5442,SHA256=38107494CFECAB71718D2C4821AF30C0C9554DDA7EC0195558F01A2482B025F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023555Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:52.797{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61974-false10.0.1.12-8000- 23542300x80000000000000007960Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:55.371{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80F779D32B1BBC305702D3E4F51516E1,SHA256=92E29A6D92DBB6A022713B73F0C545FA9C550ED8282CC1FDE9DAA7B2C699B271,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023557Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:55.722{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04CE7E045B1E22F9A7CE1149A5D22A21,SHA256=06FA2A48F080D5C5073D5C1FE6B59CAC95CE793CDB5EB5B5047D76256FB73DF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023561Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:56.738{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A73A531CCFA671A0C72C6DF953C4D428,SHA256=CEDA8D118805722A857D4BA0F210E8A46B17E8684B8166506F835ED854C9C2CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007961Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:56.387{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF69DEC7746146B3AA1F4B1EEEE59165,SHA256=308E4AB144806002AA1FA2A3922ED26166863A21D45280F4DC31F0FE749BC3EE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023560Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:56.159{6EDEAD03-FF62-615B-F802-00000000FB01}50525772C:\Windows\Explorer.EXE{6EDEAD03-0272-615C-3205-00000000FB01}5632C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023559Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:56.159{6EDEAD03-FF62-615B-F802-00000000FB01}50525772C:\Windows\Explorer.EXE{6EDEAD03-0272-615C-3205-00000000FB01}5632C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023558Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:56.159{6EDEAD03-FF62-615B-F802-00000000FB01}50525772C:\Windows\Explorer.EXE{6EDEAD03-0272-615C-3205-00000000FB01}5632C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000023562Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:57.783{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB5AF3691414F789AE818D49CFB1C20A,SHA256=64FA0CA5A7A5570589D2BCF324E9D0488CF24C0BDEE89B6EEE0730B7E746CCC7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007963Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:56.170{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49922-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000007962Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:57.387{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89D83B21737F213BFD7376B6FC4E8EF0,SHA256=2069B70B5F56FE45544844B4CCC021884803FC40E5C2E888288289941D6D452C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023563Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:58.799{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC42DA873F19A35FC903144869F8192F,SHA256=29D4FB9FAA753A2D496B181F99E488E099FBDCC23EB1B2A556CB143F5465A21E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007964Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:58.396{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65B22B3140F860FAD451BFF33908350C,SHA256=FFB681EC50DEDE410A6770EC63C7D409CFF1E2F93D21195DE611CB9CC1F49DD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023564Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:59.799{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EE2D3C69D16AF624FDF1924DA4EE07C,SHA256=112E3288D322EE1517CE12CA12064F791A24E6C969B0033A4B3D12F0DB057B82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007965Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:44:59.615{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6724A087C8B5598D0442CCD5C6EE3762,SHA256=251AD17C59BBBA98F3FB1A85B01D21C079283CA08A66CC40622ADC9DE23337D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007966Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:00.756{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51EC1552FBA4868760BDA7928E6456FF,SHA256=C0D2F90EDB10861E4DC96259109673C5665ECCB2238CB235E8B1A76E4B5B8C85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023565Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:00.815{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D49709D792BFD3B81007DF5ED201B56,SHA256=5973E7B692C70F676D6095B9854361291FCC4FC94D0D9C5C0FCAD4450AD657E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007967Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:01.913{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD6F497C02F1E690F7E4BAEC4874D84A,SHA256=9AE5561FC3E3D960CABAD544737A7D01D2B40162FAC80088096959074D8CE73D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023567Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:01.815{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D70D1DBDA6753120144A6BA603B24CB3,SHA256=17164835337E79CDCD68C0719FA723242E9E05883B5E87E4ED7010381978018A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023566Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:44:58.780{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61975-false10.0.1.12-8000- 23542300x80000000000000007969Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:02.990{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA3D569585E29E86DDDC5634A1464575,SHA256=C58B0BCE734E675CDC0CD43E840F24380BD52C5D21F06833B082899CDC22430C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023568Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:02.815{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32548B1448FF2B545DC27C330116A2A2,SHA256=8833C3C3CA1EDA2D1A246DB46D2986505BAB48BF14640F7294E6B79946F3621A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007968Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:02.150{49C67628-FDEC-615B-1F00-00000000FC01}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04b3958ebc31dc11b\channels\health\respondent-20211005072534-018MD5=9DBD3CF651CAD1963D7DD9E70795396E,SHA256=D00FE5240C0E39CC33FD8ADFFDA13197E8833401D0A3D05F731F6A79B8E00229,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023569Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:03.846{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9567CD8201D18677BB92EE554DE4A19,SHA256=4E47818D1097A421D9767F47FBC58981C81348229603C3129611C726F5C4E7F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007970Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:03.163{49C67628-FDEC-615B-1F00-00000000FC01}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04b3958ebc31dc11b\channels\health\surveyor-20211005072532-019MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023571Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:04.986{6EDEAD03-FC1D-615B-0D00-00000000FB01}9082492C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-EC02-00000000FB01}4752C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000023570Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:04.877{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3F6C1BF485E2B8E6F5732D4A74830D2,SHA256=064568A6B82B25733D237D3EA05072141A9743C04F4BE8F77FBA51DDC4A87DF6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007972Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:02.165{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49923-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000007971Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:04.225{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB76FEDF940C45E4FE452C31EEF84408,SHA256=95BCD596587EEA70DBF2BA1F1024519D0456FAA8AD63B2DBA669D03EE52F9213,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023572Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:05.908{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=550843EF2DE038D7C4C866B254C803F8,SHA256=0E76213ABC68F20F67AAF9AE97C4493501D9CA0FA7AE83EE908F5C2506688C89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007973Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:05.272{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F165ADC49DAFD23B88C1EC161CE4A3E5,SHA256=87B43CE03919CE0A922F921B6A9E7DAAB52D8F5B9DA92420A420FBCFF0C65F31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023574Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:06.908{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E21461CCBA27C757F56652AF0D1637B5,SHA256=8FB9D51E0FDA7F9FC9D8809BAC7DD20EF48DC82882082065B7353A497AE49F53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007974Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:06.412{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C693C1D7FD2EA6DEF377CAED08AF2352,SHA256=E5B15ACC9F036FCFC9AC121B1FD7D4F55CC996CD225C44C40137EC31ECDA49FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023573Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:04.733{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61976-false10.0.1.12-8000- 23542300x800000000000000023575Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:07.908{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3521FB97838F033D5168659C55DA57F7,SHA256=D33FAAF1E99AB8C75DB512E6093B4AD48A6428D9ABB8F3B9F8C13BB22F7040DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007975Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:07.412{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1416E32404E0BA0B015DAC45CE4D5266,SHA256=F38CEBDD00FC05E697FD783326ECF1AE3A7F3B024F6E1259BAF99C6272CA3982,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023576Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:08.924{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F33362C4EE1C356127F422353E665C3D,SHA256=A059140B2D31918006A5231932EBE34AA3D009C7AFD9A3A2773F2F56F39DE888,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007976Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:08.412{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE6DB8E2227B478DABAC78F38DB6CD97,SHA256=D04A49DEBBF19D7ADC7F988669CF6EFB08CE807A24B7ADB16B3A508B727A194F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023577Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:09.955{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEE1808B647A8B960ADC45495874C815,SHA256=4A82CBCA29C3851684EC0AFAF12EE244EA6CF7D4D72213B03D9A6A1FD49B52D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007977Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:09.428{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3229293D4D3A55DE8AECDA5F6734E6CB,SHA256=1C6B0CA748F1EF5D8446861AF6E792301021E1A1624D644A6C79925081FA96EF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023579Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:10.986{6EDEAD03-FC1D-615B-0D00-00000000FB01}9082492C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2700-00000000FB01}2896C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000023578Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:10.955{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CA8AD340853008C55D74A01E2F56C97,SHA256=66D6E9FF6D2C7EA595604CAEAE7428C2254518AD1AA2FB83E4BF17989FF19727,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007979Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:08.164{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49924-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000007978Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:10.460{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF51ABBB897DFE916718C03F59506160,SHA256=694DFAF46225EC5C4CE588FEB34FCAFBCEA16014C2439C9DCEDE8556382E1D73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023580Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:11.971{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=207E263C8FD0B7DD85302C539CE2920F,SHA256=6E20827CF0614A9CE9E8164A42E03254EA56342063BD1AAAD3F6FB703E57E48F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007980Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:11.694{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EF49F23DF4F521633051B13FAF91595,SHA256=27E277869A8968D80EB8D2479D35D5E1271EDBBFA285B6BA4CDEC34C1DB2BB5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023582Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:12.971{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E5A236D09DF51F5D858409A4ACE2F5B,SHA256=DDE4315047AE390ADA71A90B6253642B52B82436122AED25A7A701EF0E041DE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007981Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:12.725{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1093A9CAA4276B1106396A6425FF62D8,SHA256=A378D5247B6B4D32560F6E4756055F44FBC15422171DBB6FDD54B4546A5E4734,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023581Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:09.843{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61977-false10.0.1.12-8000- 23542300x800000000000000023583Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:13.971{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CD45DEE7A93480237672BE854A59A53,SHA256=CA77D41FE5ECA5C4545F5FEE6629D4396917DC90086E033E91336736FA51A048,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007982Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:13.959{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2F968BE9D64F8C10705A19A938925E7,SHA256=D8F06F31939659851BA9FC0F2D66EC9063901D5E813EC25306CEB51831E87E68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023584Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:14.986{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D59DAA82F3DE67D230B71181AFD5501,SHA256=A842461B9AFEF4F83A4F70A6BF2D7A6D446A14AAF23F2450576315D5B1C4AA58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007983Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:14.991{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40161B7B6BB7593C3EFE145C178C93F8,SHA256=CF66F58335304DA03AD3B47042B996B5FC15648BB5074784804CC9203B319CD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023585Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:16.002{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B870E3853357B203704995FEE63601D2,SHA256=26811F13A6A7E6B29C19804A586FEF4ACB713E5217CC1DD2C73EB0365074DA73,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007985Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:14.070{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49925-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000007984Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:16.162{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ABFA68D1186173F4C52FCE9E0FB39A5,SHA256=167A3B878750679CA74FC0E683F94FB246E33AC360BED8E1B04A45586C1C3A54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007986Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:17.241{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5E1E338289A1E8E4223E418E26209C3,SHA256=68EF47F3790A4BEC4786012709FF1EE2A3D435BD5F7ABD9D8F5B6C616D5A87DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023588Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:17.330{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1335EAEADC7FAB5BA8F67062F44BC1E3,SHA256=BCFE4A696D263C72BD4893438781CBD382729F6F1A63A062985419714436161C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023587Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:17.330{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D083022D0EFC1C0F2CB42DC53D895157,SHA256=8D1751FAC7409CE44730B79DA06C7B0550420F60E0F0001951274F8F7ACF68AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023586Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:17.002{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE5A1C583AE13AAE366DEA59916574F7,SHA256=FDA2436CDF881B01DCD23CBAE37838BDD7DBBE43A8C537AA01A3E0FBD0870931,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007987Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:18.448{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7709D40BE0A6C25AD694525E1655C061,SHA256=E9A0821CCC08717464D429AA68A1558C5F5975101568CE3E05F182314D2B1C6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023592Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:18.116{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=423CFF5ECBF43D006DC202533A820D91,SHA256=8B842BBAF27C18598421B6C3E300280A195BB6A2D7E79FEA4543A74406E51A6F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023591Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:15.937{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local61979-true0:0:0:0:0:0:0:1win-dc-676.attackrange.local389ldap 354300x800000000000000023590Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:15.937{6EDEAD03-FC2A-615B-2900-00000000FB01}2912C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local61979-true0:0:0:0:0:0:0:1win-dc-676.attackrange.local389ldap 354300x800000000000000023589Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:15.624{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61978-false10.0.1.12-8000- 23542300x80000000000000007988Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:19.448{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8E1FC6BD0C2BE80CFB40A653FF48EB2,SHA256=50DF21CBD04F2A4788ED92A7FF35A9C9CB0F559E30C2D93A30AB759D3FFEC766,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023593Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:19.209{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC3C823702522EDE6F998AC79B18AC60,SHA256=E2A6042F1A27A7E8F27BA92E674A968359DC7749F93DBEAF89CDDAB341A25361,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007989Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:20.479{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D3F0A8231C4E4B5EAE61085631D7939,SHA256=EACB81C2100A469863DDFA13DD934EA6C86CA8B21BABA095DDCC6040E2724FB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023594Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:20.287{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A01883051D622E382376031F98BCA457,SHA256=31FD37E7010FC56247454F4D37CFE9D131A810DA54C77238E476278D77AED246,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023595Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:21.319{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0CD5A6D2EF028DC909E1F420FCCC5FD,SHA256=4DAD5BB8CACAD2710A20989103FF726AC1883AD420791B34E987FFBFD68516C0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007991Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:19.153{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49926-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000007990Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:21.479{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=255BB160F01065CF62E7D9DC011386D3,SHA256=52D0A50641DEBF5932EA500097463C91D177A3793F96C922AFAF9ADB7C5181BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007992Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:22.604{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6966472769321F59B209BDD428DFDCE7,SHA256=0883EA90C977A6F39D2234B5EB58A907C03909546A45F00B26F9BF4460C08432,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023596Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:22.350{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06A0FD5D892A01C08BF3574F4509CE00,SHA256=20E3F204465F9D427B2DF392E46FF8F124578A09ACD6D867EA2EA90994D8AC44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007993Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:23.838{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52D70EFC4C5AB604BC5621D6C6A57AC0,SHA256=423B874B5875B68AE8B602C5D0537C6E1A05D847D4CABEE3C28E8BE3CFB86F77,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023601Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:23.991{6EDEAD03-FF62-615B-F802-00000000FB01}50525772C:\Windows\Explorer.EXE{6EDEAD03-0272-615C-3205-00000000FB01}5632C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023600Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:23.991{6EDEAD03-FF62-615B-F802-00000000FB01}50525772C:\Windows\Explorer.EXE{6EDEAD03-0272-615C-3205-00000000FB01}5632C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023599Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:23.991{6EDEAD03-FF62-615B-F802-00000000FB01}50525772C:\Windows\Explorer.EXE{6EDEAD03-0272-615C-3205-00000000FB01}5632C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000023598Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:23.381{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8126E471DED19BE1CEC1B5F5E42B6F01,SHA256=5B5E332E491B99692C19B8C4510F04EA7FB62A54DE37F05F336642B8221E97D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023597Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:20.628{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61980-false10.0.1.12-8000- 23542300x80000000000000007994Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:24.948{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7012022B2E74011D1D353530BAB25953,SHA256=ED92EB510D3D8D3A9EEDF402010EF61F98E02F382A64D0F82F4A3EF9EC20FB48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023602Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:24.397{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34E86D130E849A6291FFB51F2263A8FC,SHA256=8EFA036C84F3F1D5813A437B3C2CD5E155FD044E239124875F3CD339BF3BC091,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023603Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:25.428{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F06BD813D87E48B0E3E8208B3892A908,SHA256=B37DDC3852FA9E0525F12B36632FE179222067212095B66A989DEEF15420282A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007995Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:24.184{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49927-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000023604Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:26.444{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E4529A699128CF2800FF69EC5783DCF,SHA256=E0031001478E6BC3F7CACE4D5682AA158E86D81E72A6021D389F43F773BF60EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007996Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:26.167{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EEDE429E527D657521ADFE743798C48,SHA256=05CC200C803E24FABFF846BD0F69A5093E00E8D449C5767A8F8F05EE921E50E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023605Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:27.475{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E93001BE3645AADE8E85D997F10809C4,SHA256=21201B9F4E308632F79B8F7822CDCFC3FFC95B24138E591F0F16FAB7BF01F421,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007997Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:27.401{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=263D78FD398DB228C1967B1035D9CBF3,SHA256=2C81A6288B3D2FF6C771719CC2DDE948AA16EB5A6A5CA0A61F9D711751DC0A78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023606Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:28.616{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95CF60FEEEFE98E75C46526D306C41F3,SHA256=5510B5F87887D6C89801539F2918AD1C0FEC4A9B7D38370171BBB02D224272BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007998Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:28.401{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EFCC20FBE1C30DB74CB4BA48C41D75C,SHA256=68787A05599845D11A9C8DB7BA2AF42E11EED8491E4A6E57993238499A1C27DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023608Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:29.678{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43292931898DF0F71E76381A9C7AE121,SHA256=73E254715B0C13CE2A2E9CE062CE1EE88F95F4BD6D835DFEC11998FCD4F12532,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007999Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:29.495{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00F2CB57E5FF349BCA31280978F62103,SHA256=BF8BF75F87E7CF1E8FE116138C548C0AB3E6F8896057520D8A34224206939E46,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023607Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:26.665{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61981-false10.0.1.12-8000- 23542300x800000000000000023609Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:30.678{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFAA981E6C8ADA949EB0F789E7C6275B,SHA256=EC650F1132C5194BE773B2D94FA40649EA805DE0B293881D91AAD39DDA4FF37F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008000Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:30.495{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DE4351959AA7A0ADE5D1E5EA0BAEAAA,SHA256=819A1AED8B187AD16D10B90E3C5ABA460D03D3CB6DD06D6ADF58C13003C75704,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023610Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:31.694{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D571E3AA2D67F8A70A14D0766A488D46,SHA256=3F44F31A87CD54DE7638FFFA84EEBA7364236C076D55DC326412AA92A0E6356B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000008002Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:30.153{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49928-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000008001Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:31.495{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEEF44E2F8741B439B92898DACF895D1,SHA256=7661770D46ED448B23E056A19BB716197B0B4DBC2CA69CC79FE5EED9657403DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023611Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:32.694{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDED6BA16CFCFE7513A3C4D878D1E45E,SHA256=611C6E09B48B46D5EA8B7E6149E3391947F42AF10BDEE8C14B9141E0E2371BB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008004Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:32.495{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4287F6B5458D138196D20F8657B1455,SHA256=A2D1047B59404D313C6E11562D66A1837F0C8F6B78A9B21DE30B864AE96209F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008003Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:32.182{49C67628-FDEB-615B-1100-00000000FC01}964NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=A8DB8978D4735B1E0DE44C319690BC56,SHA256=932D82F118DBD52691FCC7009CD2A618B40A977D53547FC84BB241B3C4BE047B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023613Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:33.709{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=335EB9D796EBD1D6ABA8CCC75FD69E4A,SHA256=9479225246FA8F579718AD55DA05DBDEF575AAFADD09A7789BD0FC50B916E331,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008005Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:33.495{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F975612CBBD864059F0D6016370517C,SHA256=32A41E00128A63F4C8BB4E6C20A336CA3D094049A643CF1CAA8408C22C192ECC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023612Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:31.675{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61982-false10.0.1.12-8000- 23542300x800000000000000023614Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:34.928{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B55C32E9B0614546630A713F7B1A9A4E,SHA256=2F4C6D760471D51155DC88A40CD5949F84F006A32387EC3AE974A504E6796799,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008006Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:34.510{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3796665EF08D9B6B56325960C0E951DD,SHA256=07F74815D147D41EC68B0725D8944B845E03F64CC7794EC18B4585FA87823E90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023622Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:35.944{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A59AFF1B5D4835A1280E98FA34C4638,SHA256=D2951947FA828E7FB904441047951CF8620FD6145A54EB68AE5DF66914152F30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008007Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:35.512{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30759E3774B1EFDE4954E1F52AF89DC4,SHA256=7F8E45C083247BCC53472DA2E94C1F67F9186D490FD02D48BD78205F7E0B1506,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023621Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:35.865{6EDEAD03-FF62-615B-F802-00000000FB01}50525772C:\Windows\Explorer.EXE{6EDEAD03-011D-615C-0205-00000000FB01}5428C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023620Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:35.865{6EDEAD03-FF62-615B-F802-00000000FB01}50525772C:\Windows\Explorer.EXE{6EDEAD03-011D-615C-0205-00000000FB01}5428C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023619Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:35.865{6EDEAD03-FF62-615B-F802-00000000FB01}50525772C:\Windows\Explorer.EXE{6EDEAD03-011D-615C-0205-00000000FB01}5428C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023618Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:35.865{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-011D-615C-0305-00000000FB01}5740C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023617Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:35.865{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-011D-615C-0305-00000000FB01}5740C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023616Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:35.865{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-011D-615C-0305-00000000FB01}5740C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023615Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:35.865{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-011D-615C-0305-00000000FB01}5740C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000023623Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:36.959{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=735F325C12F787DA7467ED8FE090B9A0,SHA256=99410E3435BB4E9426CE285EBFE423125FB36A66AED67648CAFB980521D2DD8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008008Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:36.512{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=004A3C7132A7058F3D5E8B124FF6C731,SHA256=5565129AA0DD3878E9B6EF0ABE22C06110AD75DF9B927C452242B99E4FF53A4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008009Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:37.514{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F73C9F614B5EAD90525848D93006EA60,SHA256=D1EBE1ECA826FA2728B461C9B9DC328596F3EE2C16679C5D78606E50E926A765,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023654Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:37.775{6EDEAD03-FF62-615B-ED02-00000000FB01}48005308C:\Windows\System32\RuntimeBroker.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000023653Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:37.775{6EDEAD03-FF62-615B-ED02-00000000FB01}48005308C:\Windows\System32\RuntimeBroker.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000023652Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:37.775{6EDEAD03-FF62-615B-F802-00000000FB01}50525184C:\Windows\Explorer.EXE{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023651Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:37.775{6EDEAD03-FF62-615B-F802-00000000FB01}50525184C:\Windows\Explorer.EXE{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023650Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:37.744{6EDEAD03-FF62-615B-ED02-00000000FB01}48005308C:\Windows\System32\RuntimeBroker.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\execmodelclient.dll+8e62|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000023649Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:37.744{6EDEAD03-FF62-615B-ED02-00000000FB01}48005308C:\Windows\System32\RuntimeBroker.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\execmodelclient.dll+8d5e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000023648Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:37.728{6EDEAD03-FF62-615B-ED02-00000000FB01}48005576C:\Windows\System32\RuntimeBroker.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000023647Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:37.728{6EDEAD03-FF62-615B-ED02-00000000FB01}48005576C:\Windows\System32\RuntimeBroker.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000023646Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:37.728{6EDEAD03-FF62-615B-F802-00000000FB01}50523360C:\Windows\Explorer.EXE{6EDEAD03-FF6E-615B-2103-00000000FB01}5980C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023645Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:37.728{6EDEAD03-FF62-615B-F802-00000000FB01}50523360C:\Windows\Explorer.EXE{6EDEAD03-FF6E-615B-2103-00000000FB01}5980C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023644Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:37.728{6EDEAD03-FF62-615B-F802-00000000FB01}50525744C:\Windows\Explorer.EXE{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000023643Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:37.728{6EDEAD03-FF62-615B-F802-00000000FB01}50525744C:\Windows\Explorer.EXE{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000023642Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:37.713{6EDEAD03-FF62-615B-F802-00000000FB01}50525772C:\Windows\Explorer.EXE{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023641Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:37.713{6EDEAD03-FF62-615B-F802-00000000FB01}50525772C:\Windows\Explorer.EXE{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023640Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:37.713{6EDEAD03-FF62-615B-F802-00000000FB01}50525772C:\Windows\Explorer.EXE{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023639Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:37.713{6EDEAD03-FC1D-615B-0D00-00000000FB01}908956C:\Windows\system32\svchost.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023638Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:37.713{6EDEAD03-FC1D-615B-0D00-00000000FB01}908956C:\Windows\system32\svchost.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023637Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:37.713{6EDEAD03-FC1D-615B-0C00-00000000FB01}848876C:\Windows\system32\svchost.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023636Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:37.713{6EDEAD03-FC1D-615B-0D00-00000000FB01}908956C:\Windows\system32\svchost.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023635Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:37.713{6EDEAD03-FC1D-615B-0D00-00000000FB01}908956C:\Windows\system32\svchost.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023634Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:37.713{6EDEAD03-FC1D-615B-0D00-00000000FB01}908956C:\Windows\system32\svchost.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023633Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:37.713{6EDEAD03-FC1D-615B-0D00-00000000FB01}908956C:\Windows\system32\svchost.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023632Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:37.713{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023631Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:37.713{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023630Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:37.713{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FF6E-615B-2103-00000000FB01}5980C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023629Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:37.713{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023628Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:37.713{6EDEAD03-FC1D-615B-0C00-00000000FB01}848988C:\Windows\system32\svchost.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000023627Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:37.713{6EDEAD03-FC1D-615B-0C00-00000000FB01}848988C:\Windows\system32\svchost.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000023626Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:37.713{6EDEAD03-FC1D-615B-0C00-00000000FB01}848988C:\Windows\system32\svchost.exe{6EDEAD03-FF6E-615B-2103-00000000FB01}5980C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000023625Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:37.713{6EDEAD03-FF62-615B-F802-00000000FB01}50524832C:\Windows\Explorer.EXE{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023624Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:37.713{6EDEAD03-FF62-615B-F802-00000000FB01}50524832C:\Windows\Explorer.EXE{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000023656Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:38.807{6EDEAD03-FCBF-615B-AF00-00000000FB01}416NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=77A3FAE6E3D081057742F67BE17D48F0,SHA256=B45196262D41012541FDA928C2D6D89C531ACA10A8054FE8E2047913CDE27561,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023655Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:38.260{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50166E6E74C4034DBD41BBCAAB88B1F4,SHA256=B7BFCFB2B53F7144F8A3F89D5A91ADB112EFDC5B20754ED175B03AB006DD6B83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008011Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:38.561{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=840BB70BA062B54C6712DA0A1B195B3E,SHA256=F4F403738F19752075E1088D4199D162C18E0BFCFE8DB645196B0BB0C7A62175,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000008010Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:36.154{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49929-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000008012Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:39.639{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FC91D2BED4C40E765478708ADAF604B,SHA256=1C1A24A02F33BF366865CC0AA1522C20EADF9177A6B448E04B0FAE8AE5047A18,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023658Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:37.694{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61983-false10.0.1.12-8000- 23542300x800000000000000023657Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:39.400{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF8B008B55B159E465D674B4C2633B7D,SHA256=F9648F0BCD9444C1B4DE936D1C06834FF79BF5D954B59F5A634A138938C1F294,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008013Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:40.702{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC7BBE8A7631472700FDFCEB24541194,SHA256=9BB3BEEAD91FF31E8C7DAC8F9EF94C9DD915380D66314797AA47F73D97077D80,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023698Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:40.941{6EDEAD03-FF62-615B-ED02-00000000FB01}48005476C:\Windows\System32\RuntimeBroker.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000023697Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:40.941{6EDEAD03-FF62-615B-ED02-00000000FB01}48005476C:\Windows\System32\RuntimeBroker.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000023696Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:40.941{6EDEAD03-FF62-615B-ED02-00000000FB01}48005576C:\Windows\System32\RuntimeBroker.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000023695Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:40.941{6EDEAD03-FF62-615B-ED02-00000000FB01}48005576C:\Windows\System32\RuntimeBroker.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000023694Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:40.941{6EDEAD03-FF62-615B-ED02-00000000FB01}48005308C:\Windows\System32\RuntimeBroker.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000023693Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:40.941{6EDEAD03-FF62-615B-ED02-00000000FB01}48005308C:\Windows\System32\RuntimeBroker.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 23542300x800000000000000023692Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:40.832{6EDEAD03-FF6F-615B-2203-00000000FB01}6020ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\TGH2XTWQ\microsoft.windows[1].xmlMD5=C1DDEA3EF6BBEF3E7060A1A9AD89E4C5,SHA256=B71E4D17274636B97179BA2D97C742735B6510EB54F22893D3A2DAFF2CEB28DB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023691Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:40.832{6EDEAD03-FC1D-615B-1600-00000000FB01}12881440C:\Windows\System32\svchost.exe{6EDEAD03-02A4-615C-3605-00000000FB01}5768C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023690Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:40.832{6EDEAD03-FC1D-615B-1600-00000000FB01}12881316C:\Windows\System32\svchost.exe{6EDEAD03-02A4-615C-3605-00000000FB01}5768C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023689Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:40.816{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-02A4-615C-3605-00000000FB01}5768C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023688Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:40.816{6EDEAD03-FF5F-615B-E202-00000000FB01}9724272C:\Windows\system32\csrss.exe{6EDEAD03-02A4-615C-3605-00000000FB01}5768C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023687Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:40.816{6EDEAD03-FC1A-615B-0500-00000000FB01}412428C:\Windows\system32\csrss.exe{6EDEAD03-02A4-615C-3605-00000000FB01}5768C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023686Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:40.816{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-02A4-615C-3605-00000000FB01}5768C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366e9|c:\windows\system32\rpcss.dll+3bed2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023685Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:40.781{6EDEAD03-FF62-615B-ED02-00000000FB01}48005308C:\Windows\System32\RuntimeBroker.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000023684Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:40.781{6EDEAD03-FF62-615B-ED02-00000000FB01}48005308C:\Windows\System32\RuntimeBroker.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000023683Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:40.765{6EDEAD03-FF62-615B-ED02-00000000FB01}48005308C:\Windows\System32\RuntimeBroker.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000023682Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:40.765{6EDEAD03-FF62-615B-ED02-00000000FB01}48005308C:\Windows\System32\RuntimeBroker.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000023681Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:40.761{6EDEAD03-FC1D-615B-1600-00000000FB01}12881440C:\Windows\System32\svchost.exe{6EDEAD03-02A4-615C-3505-00000000FB01}3604C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023680Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:40.761{6EDEAD03-FC1D-615B-1600-00000000FB01}12881316C:\Windows\System32\svchost.exe{6EDEAD03-02A4-615C-3505-00000000FB01}3604C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023679Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:40.757{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-02A4-615C-3505-00000000FB01}3604C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023678Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:40.745{6EDEAD03-FF5F-615B-E202-00000000FB01}9724272C:\Windows\system32\csrss.exe{6EDEAD03-02A4-615C-3505-00000000FB01}3604C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 23542300x800000000000000023677Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:40.713{6EDEAD03-FF6F-615B-2203-00000000FB01}6020ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\TGH2XTWQ\microsoft.windows[1].xmlMD5=C1DDEA3EF6BBEF3E7060A1A9AD89E4C5,SHA256=B71E4D17274636B97179BA2D97C742735B6510EB54F22893D3A2DAFF2CEB28DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023676Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:40.713{6EDEAD03-FF6F-615B-2203-00000000FB01}6020ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\TGH2XTWQ\microsoft.windows[1].xmlMD5=5C2E735184F1DF219A075DBF325ADCC2,SHA256=7A4F04973A95ADC84507C6FD8671F6C3B9287C05C14781A6EFE45737E544EE64,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023675Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:40.697{6EDEAD03-FF62-615B-ED02-00000000FB01}48005308C:\Windows\System32\RuntimeBroker.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000023674Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:40.697{6EDEAD03-FF62-615B-ED02-00000000FB01}48005308C:\Windows\System32\RuntimeBroker.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000023673Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:40.697{6EDEAD03-FC1A-615B-0500-00000000FB01}412428C:\Windows\system32\csrss.exe{6EDEAD03-02A4-615C-3505-00000000FB01}3604C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023672Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:40.697{6EDEAD03-FC1D-615B-0C00-00000000FB01}848876C:\Windows\system32\svchost.exe{6EDEAD03-02A4-615C-3505-00000000FB01}3604C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+37172|c:\windows\system32\rpcss.dll+3df8d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023671Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:40.666{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-02A4-615C-3405-00000000FB01}712C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023670Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:40.650{6EDEAD03-FC1D-615B-0C00-00000000FB01}848876C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023669Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:40.650{6EDEAD03-FC1D-615B-0C00-00000000FB01}848876C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023668Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:40.650{6EDEAD03-FC1D-615B-0C00-00000000FB01}848876C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023667Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:40.650{6EDEAD03-FC1D-615B-0C00-00000000FB01}848876C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023666Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:40.650{6EDEAD03-FC1A-615B-0500-00000000FB01}412428C:\Windows\system32\csrss.exe{6EDEAD03-02A4-615C-3405-00000000FB01}712C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023665Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:40.650{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-02A4-615C-3405-00000000FB01}712C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000023664Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:40.342{6EDEAD03-02A4-615C-3405-00000000FB01}712C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000023663Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:40.479{6EDEAD03-FF6F-615B-2203-00000000FB01}6020ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\TGH2XTWQ\microsoft.windows[1].xmlMD5=C1DDEA3EF6BBEF3E7060A1A9AD89E4C5,SHA256=B71E4D17274636B97179BA2D97C742735B6510EB54F22893D3A2DAFF2CEB28DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023662Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:40.447{6EDEAD03-FF6F-615B-2203-00000000FB01}6020ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\TGH2XTWQ\microsoft.windows[1].xmlMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023661Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:40.431{6EDEAD03-FF62-615B-F802-00000000FB01}50523528C:\Windows\Explorer.EXE{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a10|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF800BF8618A8)|UNKNOWN(FFFFFD11022A5B48)|UNKNOWN(FFFFFD11022A5CC7)|UNKNOWN(FFFFFD11022A0351)|UNKNOWN(FFFFFD11022A1D1A)|UNKNOWN(FFFFFD110229FFD6)|UNKNOWN(FFFFF800BF579103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad 10341000x800000000000000023660Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:40.431{6EDEAD03-FF62-615B-F802-00000000FB01}50523528C:\Windows\Explorer.EXE{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+554f1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF800BF8618A8)|UNKNOWN(FFFFFD11022A5B48)|UNKNOWN(FFFFFD11022A5CC7)|UNKNOWN(FFFFFD11022A0351)|UNKNOWN(FFFFFD11022A1D1A)|UNKNOWN(FFFFFD110229FFD6)|UNKNOWN(FFFFF800BF579103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000023659Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:40.416{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7861D71BD77B9F41B057CD0D4B794EFB,SHA256=6FD1ECB7D91D6683C705A1D8EA41F442A4ADA5E888A56CE8A468863817F72FF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008014Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:41.920{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2D0A95A99C34AB9844CFFB6EDDABC76,SHA256=0D4B0A1123D5BF3FE5FC1CF22495AEA31B1579F621F9F540BA269A8AA1BCA78E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023712Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:41.754{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B27AD15EEA48D50FE1F87D18A263C6D,SHA256=9E63D05572AD13389E200FBD67AA426D7FE9FC56B7B3FDEF9475A8CCC30C68C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023711Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:41.754{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39CDF156D8015027047099A2FF9C8512,SHA256=F2B3309352D47045CDF1F4EAB5F3C2112DE1F1D6B2EC85181649088A57FAE2F5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023710Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:41.519{6EDEAD03-02A5-615C-3705-00000000FB01}71284456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000023709Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:38.398{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61984-false10.0.1.12-8089- 10341000x800000000000000023708Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:41.379{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-02A5-615C-3705-00000000FB01}7128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023707Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:41.379{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023706Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:41.379{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023705Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:41.379{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023704Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:41.379{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023703Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:41.379{6EDEAD03-FC1A-615B-0500-00000000FB01}4122304C:\Windows\system32\csrss.exe{6EDEAD03-02A5-615C-3705-00000000FB01}7128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023702Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:41.379{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-02A5-615C-3705-00000000FB01}7128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000023701Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:41.255{6EDEAD03-02A5-615C-3705-00000000FB01}7128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000023700Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:41.347{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D50CEE24570DE923841A8E53DC31A9B0,SHA256=52B6BAE3DD396E298E7A128E5E11AFB7D92989EFC7700D45819CFABF6D08B10E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023699Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:41.347{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1335EAEADC7FAB5BA8F67062F44BC1E3,SHA256=BCFE4A696D263C72BD4893438781CBD382729F6F1A63A062985419714436161C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023730Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:42.863{6EDEAD03-02A6-615C-3905-00000000FB01}63406816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023729Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:42.644{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-02A6-615C-3905-00000000FB01}6340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023728Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:42.644{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023727Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:42.644{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023726Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:42.644{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023725Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:42.644{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023724Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:42.644{6EDEAD03-FC1A-615B-0500-00000000FB01}4122304C:\Windows\system32\csrss.exe{6EDEAD03-02A6-615C-3905-00000000FB01}6340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023723Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:42.644{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-02A6-615C-3905-00000000FB01}6340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000023722Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:42.645{6EDEAD03-02A6-615C-3905-00000000FB01}6340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000023721Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:42.519{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE83A4CAD006CCACA74044B8A324B856,SHA256=28757144EEDB4C737A6EDFEFC9A098483811E27F0213885C9F66AE72604E4E7E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023720Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:42.051{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-02A6-615C-3805-00000000FB01}5784C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023719Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:42.051{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023718Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:42.051{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023717Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:42.051{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023716Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:42.051{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023715Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:42.051{6EDEAD03-FC1A-615B-0500-00000000FB01}412428C:\Windows\system32\csrss.exe{6EDEAD03-02A6-615C-3805-00000000FB01}5784C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023714Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:42.051{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-02A6-615C-3805-00000000FB01}5784C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000023713Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:42.051{6EDEAD03-02A6-615C-3805-00000000FB01}5784C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000023770Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:43.988{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-02A7-615C-3B05-00000000FB01}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023769Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:43.988{6EDEAD03-FC1D-615B-0C00-00000000FB01}848876C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023768Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:43.988{6EDEAD03-FC1D-615B-0C00-00000000FB01}848876C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023767Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:43.988{6EDEAD03-FC1D-615B-0C00-00000000FB01}848876C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023766Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:43.988{6EDEAD03-FC1D-615B-0C00-00000000FB01}848876C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023765Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:43.988{6EDEAD03-FC1A-615B-0500-00000000FB01}412528C:\Windows\system32\csrss.exe{6EDEAD03-02A7-615C-3B05-00000000FB01}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023764Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:43.988{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-02A7-615C-3B05-00000000FB01}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000023763Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:43.989{6EDEAD03-02A7-615C-3B05-00000000FB01}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000023762Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:43.535{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2768E830DCA7441AF43C8FD2F96F83DD,SHA256=F4F37C22E692A5B4E6966CBF7B52993C780F591E26502887DE63673670EBE0DD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000008017Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:41.266{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49930-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000008016Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:43.108{49C67628-FE68-615B-9F00-00000000FC01}1772NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=77A3FAE6E3D081057742F67BE17D48F0,SHA256=B45196262D41012541FDA928C2D6D89C531ACA10A8054FE8E2047913CDE27561,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008015Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:42.998{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DBCFF69677B77A7808BE89E64DE6BFF,SHA256=1860D8C2DC5C549B810C8F8E5949597A15D8885651A3B49B858482E3298EF7D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023761Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:43.505{6EDEAD03-02A7-615C-3A05-00000000FB01}67043376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000023760Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:43.457{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B709F1BB5DFDBEE426AD30DCF060AA3,SHA256=F427CAF3FC7ECC8ACEF8EB4C5A1289DE7DEF9630582B1CD7040632975CE8D316,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023759Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:43.426{6EDEAD03-FF62-615B-ED02-00000000FB01}48005576C:\Windows\System32\RuntimeBroker.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000023758Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:43.426{6EDEAD03-FF62-615B-ED02-00000000FB01}48005308C:\Windows\System32\RuntimeBroker.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000023757Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:43.426{6EDEAD03-FF62-615B-ED02-00000000FB01}48005712C:\Windows\System32\RuntimeBroker.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000023756Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:43.426{6EDEAD03-FF62-615B-ED02-00000000FB01}48005576C:\Windows\System32\RuntimeBroker.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000023755Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:43.426{6EDEAD03-FF62-615B-ED02-00000000FB01}48005308C:\Windows\System32\RuntimeBroker.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000023754Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:43.426{6EDEAD03-FF62-615B-ED02-00000000FB01}48005712C:\Windows\System32\RuntimeBroker.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000023753Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:43.426{6EDEAD03-FF62-615B-ED02-00000000FB01}48005576C:\Windows\System32\RuntimeBroker.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000023752Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:43.426{6EDEAD03-FF62-615B-ED02-00000000FB01}48005576C:\Windows\System32\RuntimeBroker.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000023751Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:43.319{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-02A7-615C-3A05-00000000FB01}6704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023750Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:43.319{6EDEAD03-FC1D-615B-0C00-00000000FB01}848876C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023749Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:43.319{6EDEAD03-FC1D-615B-0C00-00000000FB01}848876C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023748Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:43.319{6EDEAD03-FC1D-615B-0C00-00000000FB01}848876C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023747Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:43.319{6EDEAD03-FC1D-615B-0C00-00000000FB01}848876C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023746Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:43.319{6EDEAD03-FC1A-615B-0500-00000000FB01}4122304C:\Windows\system32\csrss.exe{6EDEAD03-02A7-615C-3A05-00000000FB01}6704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023745Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:43.319{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-02A7-615C-3A05-00000000FB01}6704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000023744Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:43.320{6EDEAD03-02A7-615C-3A05-00000000FB01}6704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000023743Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:43.254{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000023742Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:43.254{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FF6E-615B-2103-00000000FB01}5980C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000023741Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:43.254{6EDEAD03-FC1D-615B-0C00-00000000FB01}848876C:\Windows\system32\svchost.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000023740Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:43.254{6EDEAD03-FC1D-615B-0C00-00000000FB01}848876C:\Windows\system32\svchost.exe{6EDEAD03-FF6E-615B-2103-00000000FB01}5980C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000023739Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:43.238{6EDEAD03-FF62-615B-ED02-00000000FB01}48005712C:\Windows\System32\RuntimeBroker.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000023738Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:43.238{6EDEAD03-FF62-615B-ED02-00000000FB01}48005712C:\Windows\System32\RuntimeBroker.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000023737Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:43.238{6EDEAD03-FF62-615B-ED02-00000000FB01}48005308C:\Windows\System32\RuntimeBroker.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000023736Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:43.238{6EDEAD03-FF62-615B-ED02-00000000FB01}48005476C:\Windows\System32\RuntimeBroker.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000023735Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:43.238{6EDEAD03-FF62-615B-ED02-00000000FB01}48005308C:\Windows\System32\RuntimeBroker.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000023734Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:43.238{6EDEAD03-FF62-615B-ED02-00000000FB01}48005476C:\Windows\System32\RuntimeBroker.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000023733Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:43.238{6EDEAD03-FF62-615B-ED02-00000000FB01}48005576C:\Windows\System32\RuntimeBroker.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000023732Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:43.238{6EDEAD03-FF62-615B-ED02-00000000FB01}48005576C:\Windows\System32\RuntimeBroker.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 23542300x800000000000000023731Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:43.051{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D50CEE24570DE923841A8E53DC31A9B0,SHA256=52B6BAE3DD396E298E7A128E5E11AFB7D92989EFC7700D45819CFABF6D08B10E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023796Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:44.976{6EDEAD03-FC2A-615B-3000-00000000FB01}2280NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00ade5b11017bd16f\channels\health\respondent-20211005071805-026MD5=AA6F78CCC35FD74424B933C975A9F779,SHA256=482DFC86E7C4A11E76E3E352EB64B396C84C083D9F57F37823883232EC55A225,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023795Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:44.755{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B61F86FD7C5497CB56D6EC898FC68131,SHA256=9CD5ABB2A6C4EA9A7E3538604CD0CE252A712E1F133FFB30B140F4DFDF2437E8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023794Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:44.661{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-02A8-615C-3C05-00000000FB01}3756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023793Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:44.661{6EDEAD03-FC1D-615B-0C00-00000000FB01}848988C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023792Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:44.661{6EDEAD03-FC1D-615B-0C00-00000000FB01}848988C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023791Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:44.661{6EDEAD03-FC1D-615B-0C00-00000000FB01}848988C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023790Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:44.661{6EDEAD03-FC1D-615B-0C00-00000000FB01}848988C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023789Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:44.661{6EDEAD03-FC1A-615B-0500-00000000FB01}412528C:\Windows\system32\csrss.exe{6EDEAD03-02A8-615C-3C05-00000000FB01}3756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023788Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:44.661{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-02A8-615C-3C05-00000000FB01}3756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000023787Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:44.662{6EDEAD03-02A8-615C-3C05-00000000FB01}3756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000008032Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:44.795{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-02A8-615C-6301-00000000FC01}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008031Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:44.795{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008030Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:44.795{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008029Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:44.795{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008028Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:44.795{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008027Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:44.795{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008026Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:44.795{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008025Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:44.795{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008024Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:44.795{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008023Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:44.795{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008022Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:44.795{49C67628-FDEB-615B-0500-00000000FC01}4161032C:\Windows\system32\csrss.exe{49C67628-02A8-615C-6301-00000000FC01}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000008021Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:44.795{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-02A8-615C-6301-00000000FC01}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000008020Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:44.796{49C67628-02A8-615C-6301-00000000FC01}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000008019Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:43.125{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49931-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000008018Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:44.233{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B645A127F3958CA08CAE62F67E6EEF6E,SHA256=06EA8795880E814927F1A8D81FBE0394DD03560D5740514AF38C2B1B8AC65F79,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023786Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:44.457{6EDEAD03-FF62-615B-F802-00000000FB01}50525744C:\Windows\Explorer.EXE{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000023785Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:44.457{6EDEAD03-FF62-615B-F802-00000000FB01}50525744C:\Windows\Explorer.EXE{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000023784Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:44.441{6EDEAD03-FC1D-615B-0C00-00000000FB01}848876C:\Windows\system32\svchost.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023783Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:44.441{6EDEAD03-FF62-615B-F802-00000000FB01}50525772C:\Windows\Explorer.EXE{6EDEAD03-011D-615C-0205-00000000FB01}5428C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023782Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:44.441{6EDEAD03-FF62-615B-F802-00000000FB01}50525772C:\Windows\Explorer.EXE{6EDEAD03-011D-615C-0205-00000000FB01}5428C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023781Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:44.441{6EDEAD03-FF62-615B-F802-00000000FB01}50525772C:\Windows\Explorer.EXE{6EDEAD03-011D-615C-0205-00000000FB01}5428C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000023780Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:44.441{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=45A7D724998C2BF4682AA05BBE19D8F3,SHA256=654A6A6349EA2BB44F424915399F8BDBB1357F0921A9414B8F77D3CAF80E3879,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023779Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:44.426{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-011D-615C-0305-00000000FB01}5740C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023778Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:44.426{6EDEAD03-FF62-615B-F802-00000000FB01}50523360C:\Windows\Explorer.EXE{6EDEAD03-FF6E-615B-2103-00000000FB01}5980C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023777Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:44.426{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-011D-615C-0305-00000000FB01}5740C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023776Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:44.426{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-011D-615C-0305-00000000FB01}5740C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023775Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:44.426{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-011D-615C-0305-00000000FB01}5740C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023774Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:44.426{6EDEAD03-FF62-615B-F802-00000000FB01}50523360C:\Windows\Explorer.EXE{6EDEAD03-FF6E-615B-2103-00000000FB01}5980C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023773Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:44.426{6EDEAD03-FF62-615B-F802-00000000FB01}50525184C:\Windows\Explorer.EXE{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023772Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:44.426{6EDEAD03-FF62-615B-F802-00000000FB01}50525184C:\Windows\Explorer.EXE{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023771Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:44.160{6EDEAD03-02A7-615C-3B05-00000000FB01}46364548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000023800Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:45.989{6EDEAD03-FC2A-615B-3000-00000000FB01}2280NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00ade5b11017bd16f\channels\health\surveyor-20211005071802-027MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023799Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:45.770{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E425E4D3C10C13849487AFAF8CFA351,SHA256=60478C141B315F58473BF084A7F87CCF7D8851D29B353011A0367085DBB913BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023798Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:45.770{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9B86330EA98525F01D198DE87924E263,SHA256=FA8B5CE2700B1C306A1FA5C5F7A06DC9FEFCBF190AFF739B83DD26A8B2EAC8AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008049Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:45.811{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0AB25B9562003E1CE20B94A81FFC8D5E,SHA256=148C5F34BD8A51F851FD73B8039A860E5CD063057D3945BE39D509F597CB8EED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008048Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:45.811{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A58F0A087D9F0E56B93C9B531308F4C4,SHA256=9A713A393899629721CEA145398535E3505FB54C898C04303A0317923BE1DAF0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000008047Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:45.639{49C67628-02A9-615C-6401-00000000FC01}25004028C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000008046Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:45.467{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD98D6E918BB68194822C7E4A038C12D,SHA256=F0095B0F416C44B4C2BF86D6171A7674F13635CDDF2B60DCC8C8AA452CFDD241,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000008045Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:45.467{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-02A9-615C-6401-00000000FC01}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008044Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:45.467{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008043Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:45.467{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008042Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:45.467{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008041Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:45.467{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008040Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:45.467{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008039Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:45.467{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008038Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:45.467{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008037Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:45.467{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008036Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:45.467{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008035Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:45.467{49C67628-FDEB-615B-0500-00000000FC01}416432C:\Windows\system32\csrss.exe{49C67628-02A9-615C-6401-00000000FC01}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000008034Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:45.467{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-02A9-615C-6401-00000000FC01}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000008033Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:45.468{49C67628-02A9-615C-6401-00000000FC01}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000023797Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:43.720{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61985-false10.0.1.12-8000- 23542300x800000000000000023802Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:46.771{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=591C7D9800DC472F31D6F594D961A335,SHA256=6C4B721CC8A3AE2313B57A01A107C9BFE8B4853A1A32415428E941FC44C32C60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008063Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:46.639{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA58C0A600CA7B07F2BB97C0C98081D8,SHA256=94E01F224396C3BEF07073022617443DC52CC54D26EBBBACB794EB9A604DD4CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023801Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:46.424{6EDEAD03-FF62-615B-F102-00000000FB01}49805088C:\Windows\System32\taskhostw.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008062Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:46.139{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-02AA-615C-6501-00000000FC01}3696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008061Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:46.139{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008060Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:46.139{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008059Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:46.139{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008058Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:46.139{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008057Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:46.139{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008056Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:46.139{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008055Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:46.139{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008054Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:46.139{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008053Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:46.139{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008052Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:46.139{49C67628-FDEB-615B-0500-00000000FC01}4161032C:\Windows\system32\csrss.exe{49C67628-02AA-615C-6501-00000000FC01}3696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000008051Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:46.139{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-02AA-615C-6501-00000000FC01}3696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000008050Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:46.140{49C67628-02AA-615C-6501-00000000FC01}3696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000023803Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:47.771{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06E197A5351F56289ADD13BFA1079E1E,SHA256=E003A08EEED3ED79E736AF9E267B416CE74958DF7251555C0C857E7822C434FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008079Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:47.639{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8FDA26FAC478BB131B18B38DE9B84F0,SHA256=9D0527F2605D161D96C8CB07B84CB9BCEC1254C541F6BE0EC017B809DEF386D9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000008078Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:47.264{49C67628-02AB-615C-6601-00000000FC01}988288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000008077Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:47.139{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0AB25B9562003E1CE20B94A81FFC8D5E,SHA256=148C5F34BD8A51F851FD73B8039A860E5CD063057D3945BE39D509F597CB8EED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000008076Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:47.077{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-02AB-615C-6601-00000000FC01}988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008075Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:47.077{49C67628-FDEB-615B-0500-00000000FC01}416432C:\Windows\system32\csrss.exe{49C67628-02AB-615C-6601-00000000FC01}988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000008074Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:47.077{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008073Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:47.077{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008072Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:47.077{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008071Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:47.077{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008070Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:47.077{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008069Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:47.077{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008068Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:47.077{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008067Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:47.077{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008066Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:47.077{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008065Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:47.077{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-02AB-615C-6601-00000000FC01}988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000008064Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:47.077{49C67628-02AB-615C-6601-00000000FC01}988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000023826Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:48.802{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2884833DD8AA4CCDA0B7B578B0F9E22,SHA256=6F435DFFC5527EA879921A4F1DBC37D26A215505580CAF588DD20C638EAB1C37,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023825Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:48.334{6EDEAD03-FF62-615B-F802-00000000FB01}50525772C:\Windows\Explorer.EXE{6EDEAD03-02AC-615C-3D05-00000000FB01}3236C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023824Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:48.334{6EDEAD03-FF62-615B-F802-00000000FB01}50525772C:\Windows\Explorer.EXE{6EDEAD03-02AC-615C-3D05-00000000FB01}3236C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023823Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:48.334{6EDEAD03-FF62-615B-F802-00000000FB01}50525772C:\Windows\Explorer.EXE{6EDEAD03-02AC-615C-3D05-00000000FB01}3236C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023822Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:48.334{6EDEAD03-FF62-615B-F102-00000000FB01}49805088C:\Windows\System32\taskhostw.exe{6EDEAD03-02AC-615C-3D05-00000000FB01}3236C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023821Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:48.334{6EDEAD03-FF62-615B-F102-00000000FB01}49805088C:\Windows\System32\taskhostw.exe{6EDEAD03-02AC-615C-3D05-00000000FB01}3236C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023820Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:48.318{6EDEAD03-FF62-615B-F802-00000000FB01}50525508C:\Windows\Explorer.EXE{6EDEAD03-02AC-615C-3D05-00000000FB01}3236C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023819Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:48.318{6EDEAD03-FF62-615B-F802-00000000FB01}50525508C:\Windows\Explorer.EXE{6EDEAD03-02AC-615C-3D05-00000000FB01}3236C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023818Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:48.318{6EDEAD03-FF62-615B-F802-00000000FB01}50525508C:\Windows\Explorer.EXE{6EDEAD03-02AC-615C-3D05-00000000FB01}3236C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023817Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:48.318{6EDEAD03-FF62-615B-F802-00000000FB01}50525508C:\Windows\Explorer.EXE{6EDEAD03-02AC-615C-3D05-00000000FB01}3236C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023816Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:48.318{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-02AC-615C-3D05-00000000FB01}3236C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023815Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:48.318{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-02AC-615C-3D05-00000000FB01}3236C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023814Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:48.318{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-02AC-615C-3D05-00000000FB01}3236C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023813Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:48.318{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-02AC-615C-3D05-00000000FB01}3236C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023812Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:48.271{6EDEAD03-FC1D-615B-1600-00000000FB01}12881440C:\Windows\System32\svchost.exe{6EDEAD03-02AC-615C-3D05-00000000FB01}3236C:\Windows\regedit.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023811Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:48.271{6EDEAD03-FC1D-615B-1600-00000000FB01}12881316C:\Windows\System32\svchost.exe{6EDEAD03-02AC-615C-3D05-00000000FB01}3236C:\Windows\regedit.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023810Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:48.099{6EDEAD03-FC1D-615B-0C00-00000000FB01}848988C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023809Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:48.099{6EDEAD03-FC1D-615B-0C00-00000000FB01}848988C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023808Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:48.099{6EDEAD03-FF5F-615B-E202-00000000FB01}9723552C:\Windows\system32\csrss.exe{6EDEAD03-02AC-615C-3D05-00000000FB01}3236C:\Windows\regedit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023807Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:48.099{6EDEAD03-FC1D-615B-0C00-00000000FB01}848988C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023806Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:48.099{6EDEAD03-FC1D-615B-0C00-00000000FB01}848988C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023805Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:48.099{6EDEAD03-FF62-615B-F802-00000000FB01}50524164C:\Windows\Explorer.EXE{6EDEAD03-02AC-615C-3D05-00000000FB01}3236C:\Windows\regedit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\windows.storage.dll+ad62a|C:\Windows\System32\windows.storage.dll+ad3e2|C:\Windows\System32\SHELL32.dll+3f8bd|C:\Windows\System32\SHELL32.dll+3e456|C:\Windows\System32\SHELL32.dll+801d1|C:\Windows\System32\SHELL32.dll+6716e|C:\Windows\System32\SHELL32.dll+3d433|C:\Windows\System32\SHELL32.dll+3d2fb|C:\Windows\System32\SHELL32.dll+3cc17|C:\Windows\System32\SHELL32.dll+3c8dc|C:\Windows\System32\SHELL32.dll+e2157|C:\Windows\System32\SHELL32.dll+e20b5 154100x800000000000000023804Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:48.096{6EDEAD03-02AC-615C-3D05-00000000FB01}3236C:\Windows\regedit.exe10.0.14393.953 (rs1_release_inmarket.170303-1614)Registry EditorMicrosoft® Windows® Operating SystemMicrosoft CorporationREGEDIT.EXE"C:\Windows\regedit.exe" C:\Users\Administrator\ATTACKRANGE\Administrator{6EDEAD03-FF61-615B-7756-1D0000000000}0x1d56772HighMD5=BF5D30514FEA913E25CCC9E546257088,SHA256=254B18A8CC6589AF666EE17CE4E76C67350AECF578206CC7678745ED47A32D63,IMPHASH=E6DBB62DC548A099806914C678466448{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 10341000x80000000000000008107Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:48.795{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-02AC-615C-6801-00000000FC01}1936C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008106Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:48.795{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008105Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:48.795{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008104Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:48.795{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008103Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:48.795{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008102Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:48.795{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008101Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:48.795{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008100Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:48.795{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008099Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:48.795{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008098Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:48.795{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008097Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:48.795{49C67628-FDEB-615B-0500-00000000FC01}4161032C:\Windows\system32\csrss.exe{49C67628-02AC-615C-6801-00000000FC01}1936C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000008096Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:48.795{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-02AC-615C-6801-00000000FC01}1936C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000008095Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:48.796{49C67628-02AC-615C-6801-00000000FC01}1936C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000008094Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:46.281{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49932-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000008093Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:48.515{49C67628-02AC-615C-6701-00000000FC01}6361900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008092Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:48.295{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-02AC-615C-6701-00000000FC01}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008091Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:48.295{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008090Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:48.295{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008089Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:48.295{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008088Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:48.295{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008087Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:48.295{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008086Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:48.295{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008085Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:48.295{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008084Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:48.295{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008083Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:48.295{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008082Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:48.295{49C67628-FDEB-615B-0500-00000000FC01}416532C:\Windows\system32\csrss.exe{49C67628-02AC-615C-6701-00000000FC01}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000008081Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:48.295{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-02AC-615C-6701-00000000FC01}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000008080Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:48.296{49C67628-02AC-615C-6701-00000000FC01}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000023837Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:49.881{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000023836Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:49.881{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FF6E-615B-2103-00000000FB01}5980C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000023835Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:49.881{6EDEAD03-FC1D-615B-0C00-00000000FB01}848988C:\Windows\system32\svchost.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000023834Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:49.881{6EDEAD03-FC1D-615B-0C00-00000000FB01}848988C:\Windows\system32\svchost.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000023833Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:49.881{6EDEAD03-FC1D-615B-0C00-00000000FB01}848988C:\Windows\system32\svchost.exe{6EDEAD03-FF6E-615B-2103-00000000FB01}5980C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000023832Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:49.881{6EDEAD03-FF62-615B-EE02-00000000FB01}49083740C:\Windows\System32\sihost.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000023831Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:49.818{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B665A90572B8BEA9C1AD5AE40F6E4700,SHA256=11F89825D726ED631FB92B3A636589CF585B947236610025CA554ADAC85B8BDF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000008123Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:49.717{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-02AD-615C-6901-00000000FC01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008122Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:49.717{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008121Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:49.717{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008120Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:49.717{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008119Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:49.717{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008118Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:49.717{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008117Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:49.717{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008116Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:49.717{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008115Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:49.717{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008114Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:49.717{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008113Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:49.717{49C67628-FDEB-615B-0500-00000000FC01}4161032C:\Windows\system32\csrss.exe{49C67628-02AD-615C-6901-00000000FC01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000008112Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:49.717{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-02AD-615C-6901-00000000FC01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000008111Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:49.718{49C67628-02AD-615C-6901-00000000FC01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000008110Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:49.342{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=589489F391A27DB7D8D0945D8024701E,SHA256=296D4EE48944339C49E172DC4DCFAD7C2EF3D134717E0371535F6509F5EE9A4A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000008109Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:49.124{49C67628-02AC-615C-6801-00000000FC01}19361840C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000008108Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:49.031{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D279B4F1AC9613837B0656808D6A44D1,SHA256=BD47CA24A090BE7536754B4E701062B678E0FA1DD8AAD4FBA2B24800FA5E4BF2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023830Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:49.724{6EDEAD03-FC1D-615B-0C00-00000000FB01}848988C:\Windows\system32\svchost.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000023829Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:49.724{6EDEAD03-FC1D-615B-0C00-00000000FB01}848988C:\Windows\system32\svchost.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000023828Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:49.724{6EDEAD03-FC1D-615B-0C00-00000000FB01}848988C:\Windows\system32\svchost.exe{6EDEAD03-FF6E-615B-2103-00000000FB01}5980C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x800000000000000023827Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:49.115{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6FB821BA407C8C1C22B3C2A2D71B92C7,SHA256=E745D670BFC596AECDFA933808808607339FD71F64BE56AF907D8DD81DAEB855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023839Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:50.834{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CB67FB1F709D29CDCF6AD3340827349,SHA256=2E59E51BEF41C4EA255928945174681F013B46817E6DB2998FCC186F25290011,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008125Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:50.858{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B04123E85E2200BA424C5BFD6C4556C9,SHA256=601E233D5D28E4F9F40E5FFE4CC4BEC6BBBFEE60C20B5A560EF517DACBBB291D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008124Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:50.264{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A18E10BA8B2FAA916C2B99713928FDB,SHA256=E458E1572476F0122838ECB74E6F4EC09DD9D9B593448682D12F121686BFDA84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023838Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:50.412{6EDEAD03-FC1D-615B-1200-00000000FB01}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=C80E6A4C0BB24AEB8A50622469030B83,SHA256=FECF128D6573C892BCAEBD7AC5E5E8DCC3C5B102D3C536887DFABC955CDB8EBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023841Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:51.849{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63ACF0C3005DDD76BD656BFAED7C16D1,SHA256=BB7831970761FAA15071C0789D9D724F6705B8F1793B538914B7D9BEB21400A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008126Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:51.389{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7669F4369FFB2F97FF9FAEB2BB1A06E3,SHA256=50FAA3CEAA68D3273CCBCD5F3D37E5677E2F27630E81AE4D7E00B1611E9605BB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023840Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:49.722{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61986-false10.0.1.12-8000- 23542300x800000000000000023842Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:52.880{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89152B08FB08778EF840F07C87A12B57,SHA256=1DF06F0756B4C0034B280DA056AC006E2F9C462B861D98C5C985F4BC0EF7851A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008127Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:52.514{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D08DCBC4F5F9D54B02D0B797CB31F263,SHA256=D406DC82D4B2D2B40629ED14599C7E73B7EAF0BC9A8BA3CE338A9363F0624487,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023843Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:53.896{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55A2816C8E5AD9018962B49B9D16DC54,SHA256=DF69AC68FEBCF08522E3929DE732F13844A779144939361AA6C95B574A40EF32,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000008129Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:52.188{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49933-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000008128Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:53.608{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=397A162907B2221D89EF72FED186B624,SHA256=EB997063E37BEC54E8DB7653E58F1A6069F18D71D62B558FC1664BAED9AAC2B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023844Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:54.896{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A659115C823E63693DC8794A1E8753EE,SHA256=6163910487A383EA0606475E1CE709EF45897B4C9028311EA8292BF6D0D00010,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008130Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:54.623{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=853377E264B0E6B99FF2898C2F27062B,SHA256=16C73D6A0250D736B1CA40D21324C49EF28A09D421CD8463EE95454642FC0981,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023845Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:55.927{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2692A1E78C2C7888A8500E3D30799CAF,SHA256=96913673A86650D7E9F40756AFF300CD9A7B52D6FE784D66767309E3AC7CEB4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008131Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:55.623{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A64B8CAD979B5944EEC53A6FDA4DF6FB,SHA256=8DE78932726AFAC1AF30AC517F48F313517574228B0CC59813DB45EA13051919,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023846Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:56.927{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4472C088E1B1144637BF2E4524C6E9A1,SHA256=AE502E48D48A90C0FABC5CC01046A8FFF03D6F207D593A4B13CC1F43C314AFC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008132Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:56.639{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA0893ED5D1ECBB2C353011A8F4E45B4,SHA256=99B3E0644AE26B89BEBEE364ECD7BCF81243D00EDAD699669FA228729402B9FE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023848Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:55.753{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61987-false10.0.1.12-8000- 23542300x800000000000000023847Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:57.928{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8729852DA763396CD068A44816639280,SHA256=435F13ECDB51295A57FEFC2A4739156E90B1B2D6B5CF590CB2B31BBF13B2EF69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008133Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:57.652{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFEEE02DB4B7F794218E70ACF2EE058D,SHA256=E08BA13E6664B84A97B698D737623F79C02FDEF887F4CCDBEB3D9A0BF8437CA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008134Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:58.886{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DECFDF98EA8EE531A139DA4EC20AD844,SHA256=A005F553DA11B1141A3E0417C5811F932A554D312BFD132E73BC1FD92AC78C8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008135Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:59.964{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E27C5F39888577E3ADF263FC5EBFC9DB,SHA256=D0A7BF12C79BBD7B6B4276C2A8B067A0B13315C7E47506CA222D6B4AF38462A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023849Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:45:59.006{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D5D6118C6AF93B06D474AA12BF93E70,SHA256=F42015711AEB2A5FC9F0356EFE9C5F1D68B3B9BA29751CCAB5F90F864023B6C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008137Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:00.980{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E0B9F5354E6B77360193B311CDF7623,SHA256=A90F7641224923D3A84319ED0B7203CCBA2C63D790A840AB8CB60BEDE246E816,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023850Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:00.022{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A082F2988CBC2D6BFBBF6380076AC65D,SHA256=128648E9A42F11D921815EAAFFA3EC9FE5DEF8E5A431AE26E89A2AADB2170C2B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000008136Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:45:58.092{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49934-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000023851Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:01.084{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=653CDDFF7D6A78C7015F94FFB26948E6,SHA256=64919A59CCC32708A68824BBB02B88A682AEE1106E29332A385F5F958DB82600,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023852Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:02.319{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B6407203EEFA645D2BAA873FEB0BF1B,SHA256=E7F8D06CECC68AB2232B75550BBBFD0284410FB83B892E912F3C42533ED270EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008138Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:02.027{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B157FD83072C4009E969D634E83B18F7,SHA256=CEE70AA6FB81699C0F9B1AF88ACE9E49F7EC3E9B97395E191D872C1744B37FA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023853Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:03.365{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B28EFFBBD254AB2707DF13976BF0113,SHA256=93778B02531BB52ACED89240A7E95B4B0A75173AC892588110EB9B9747364CB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008140Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:03.686{49C67628-FDEC-615B-1F00-00000000FC01}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04b3958ebc31dc11b\channels\health\respondent-20211005072534-019MD5=9DBD3CF651CAD1963D7DD9E70795396E,SHA256=D00FE5240C0E39CC33FD8ADFFDA13197E8833401D0A3D05F731F6A79B8E00229,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008139Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:03.261{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C0C6F53A036F1105010EA7E9FEA55C4,SHA256=089DA200D53EE52F779B6F8C8E5201694F85162F587DDC2E6B30D1B096F97D55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008142Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:04.685{49C67628-FDEC-615B-1F00-00000000FC01}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04b3958ebc31dc11b\channels\health\surveyor-20211005072532-020MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008141Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:04.496{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B01A58507F397496488F04DAA1EEC945,SHA256=9C6C544B17BBB06BAC47F98013E1BFF0514AA65845DC9E092D2A81283CBFCF97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023855Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:04.381{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69999CCDDF093230525D0F78FDD6AD9D,SHA256=F91E70A5C6CD038070A0BEE2A0468AA734FEEECD1C48BD9297C9EE9D028AB8B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023854Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:01.722{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61988-false10.0.1.12-8000- 354300x80000000000000008144Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:04.076{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49935-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000008143Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:05.672{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=561B2B91F45322AD9ADEB3253557EB5E,SHA256=B69C1D732EA0C825BFDDF47AF399EB2FA8610092A7F443A9E7A0C58FE7A62B32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023856Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:05.428{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E63EC45371E4C0439DE1A0D6CF726979,SHA256=3017E4E081C67DF039EFE4C7D3A74904352AFB857EDE86E351AA2EA0CB87F57C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008145Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:06.672{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEF53B8CE0939DA7BDDDCB683C6E3E5D,SHA256=6B19AB00430ED33754674AD48C87639420E7AC7142907CB990952ADCD0DC5055,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023857Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:06.444{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D6588728AC18807EBC6A84B4CD1CBCC,SHA256=8C6F82C9C72774692672F6A87193EF8C80C277D508222ABD81818685B00016A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023858Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:07.459{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5292CE32108E58351BDF07492852DFAB,SHA256=4D9D495D773ED01ABAC487A753DE1D047CFB0332B36ED850C4E85A3D7B4FB5EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008146Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:07.672{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4E0A8191B41ACA4590B9335AA4A4767,SHA256=01F40DFA53FCE6FED7068D3AD2EE47145CF1F369D82E5C523EE311F85F974334,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008147Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:08.688{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20396F11A2A65F47543DEDF518690F67,SHA256=774090C2078E5284031749CA348ADE9D7AF24FA08B59D9A3165F7F809EE4AEA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023863Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:08.459{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DED4509EB2B9105007056952E3A9F66C,SHA256=F5875201F15B5800291FF9E8CE46E67EA9A76640297400738B6028BF42FB7105,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023862Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:06.769{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61989-false10.0.1.12-8000- 10341000x800000000000000023861Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:08.225{6EDEAD03-FF62-615B-F802-00000000FB01}50525760C:\Windows\Explorer.EXE{6EDEAD03-02AC-615C-3D05-00000000FB01}3236C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023860Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:08.225{6EDEAD03-FF62-615B-F802-00000000FB01}50525760C:\Windows\Explorer.EXE{6EDEAD03-02AC-615C-3D05-00000000FB01}3236C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023859Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:08.209{6EDEAD03-FF62-615B-F802-00000000FB01}50525760C:\Windows\Explorer.EXE{6EDEAD03-02AC-615C-3D05-00000000FB01}3236C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000008148Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:09.704{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AFDD09586955B04E40D803309B97ED3,SHA256=D91C2425087D9DA6E284FF96B73802592A2D018B53338A99FD57E97B8F649A35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023871Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:09.490{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=768CC771CF6DD5554FF373FAE058BD9B,SHA256=BD374F6518C0369B85B143CD6AD2AE368448B4E96123CF6C054C22FAE2D5800B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023870Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:09.147{6EDEAD03-FF62-615B-F802-00000000FB01}50525760C:\Windows\Explorer.EXE{6EDEAD03-0272-615C-3205-00000000FB01}5632C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023869Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:09.147{6EDEAD03-FF62-615B-F802-00000000FB01}50525760C:\Windows\Explorer.EXE{6EDEAD03-0272-615C-3205-00000000FB01}5632C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023868Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:09.147{6EDEAD03-FF62-615B-F802-00000000FB01}50525760C:\Windows\Explorer.EXE{6EDEAD03-0272-615C-3205-00000000FB01}5632C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023867Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:09.131{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-0272-615C-3205-00000000FB01}5632C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023866Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:09.131{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-0272-615C-3205-00000000FB01}5632C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023865Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:09.131{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-0272-615C-3205-00000000FB01}5632C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023864Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:09.131{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-0272-615C-3205-00000000FB01}5632C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000008149Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:10.844{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C888E7752A3B24528ABA76EBC68C3CF8,SHA256=A4B242E771213618219CA3497227C9515FE391BB69DAEA62753890DF420F52CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023872Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:10.490{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF18C242C7A8FAE29BAB7168A66D9004,SHA256=80990633745C05792DFDF8C2FB3A539E60CE463D09F5ABB1FB098C65D4F13A97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023873Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:11.506{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC1E5DEF17FF3DD5955C6D959D4F2828,SHA256=55D0AD6D8DE344D6ACB9EB94FCD48C7391E711451764CD314AFBEBD5DA3E8CB0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000008150Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:09.143{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49936-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000023874Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:12.506{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E02A62F3AA8EFE12FEE8643E66CBCB69,SHA256=783B1A7CF7B107EDCA8126567E1ACDB9BB2881BB69454549557B776B5E13BF46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008151Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:12.001{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFDD60ABACF9A8D0DE1CE4C7E500498E,SHA256=65DE07BAB7A729F65D774887A089080CE8A2019FE9B76FA06C833B0BFFE110B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023875Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:13.506{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C95BF84B95FB037F7C2D34CE54607A7,SHA256=3CDCA5527695D98DB8D3AF70A3A113B88940385C4D6CC9E58A9496D3F8CD8B5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008152Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:13.001{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30B931A7C8A23212B2D88499E8BFDC19,SHA256=24DA62670CB9E78159FCD497D2A7DC4F75E81E0E779A1447A2599FEA890F1991,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023877Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:11.816{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61990-false10.0.1.12-8000- 23542300x800000000000000023876Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:14.522{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=768B8D8D280BE8FC29D25EDCA803F9B1,SHA256=A81E9EFC391C0338CD75F387C8C7FC4C89B9381689C1AB7C4D9E20FAF421D0F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008153Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:14.219{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0C362BD97C9057080B7327B1C9F4918,SHA256=E6FB800226EB9D961B6EC07CEDD9EDD084D3814A497C7442672F27ACB3194ACF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023878Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:15.584{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74E878C518682982C44AFAA0D16E0441,SHA256=8DF51F04DD196275F12B9784EB082085150F8E6FAB22F2F58CF765AC5F397630,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008154Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:15.422{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C96B89919355A005D9A81B0A713A7772,SHA256=AFB8B9BD60567D8ED20564E70A6D5EDCBECBB30F121961F1372C7D0EB0DE48F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008155Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:16.547{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C443789BB796F8A95698A0ABFEFF3FB,SHA256=33752FF4723E141D1978F9D318191C86F7C3B3BAB17D6F78A6E4CF92C07EE583,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023879Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:16.615{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9741D062C2C2847EC42A6C1416C721CA,SHA256=B3EBA9BDE791030FF5E63E8C7AF7F9A094A1295B58F4A9644FA64D63E5E332B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008157Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:17.588{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAB30F8B62ACF11575700BE92CE5B39B,SHA256=81DCA99815B26F738956193C1A0234CC5C905EAC6641D66A4983F555294F6C9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023882Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:17.645{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA257BB9346A30CF2513C901C8E436BF,SHA256=2EA30275EEC00130703050E01810076ACC4A343DC080E5C51D5644617C23B156,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000008156Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:15.174{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49937-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000023881Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:17.350{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF27524CE97C4B123618C0E6C8B26D37,SHA256=99192466E9C2DBF7E19548C8474998B009C6776884C9A480EEE3D7D39B4768FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023880Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:17.350{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=897DAE5701B5B09F55FC2DE968ACB6BE,SHA256=9842ADC355719B43C88016BC5457779A420EFDEDFE6D50153B6DB79871A15F53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008158Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:18.635{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=702B298055E1403C85927757112840C9,SHA256=D13BC98D5DE99ED87B29BE8FB1BFF53450BEC3A8EBE772FB69564883010377BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023885Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:18.661{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F754ED9A6616075F16BCAC10A8FF0D16,SHA256=19E0325723685EF7DB5873CB27F8D8C9F6A5FAB9A760079A7FBD6E1F5AB15AB0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023884Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:15.941{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local61991-true0:0:0:0:0:0:0:1win-dc-676.attackrange.local389ldap 354300x800000000000000023883Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:15.941{6EDEAD03-FC2A-615B-2900-00000000FB01}2912C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local61991-true0:0:0:0:0:0:0:1win-dc-676.attackrange.local389ldap 23542300x80000000000000008159Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:19.760{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6E4C9B7EAF1468BA3C5478A79802FF3,SHA256=436A9BFD217033F7A3656AD62F8E9ACE6A2CAFA8D795B98688BBC3B719EDA141,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023886Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:19.676{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB61BF7EE6B8ED7E08A816489C177584,SHA256=BC0D63BE253502D72B732C0113E89F3CFDD31D2040CF7316BEBC39506969A6E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008160Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:20.760{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5FE9A21DAF04AF72FF7630C639D9FB9,SHA256=F2FF1C9096CF1FBA1CE0F1CD0C67E1D7A7690AE1E2FCB17B97FF248873D0518F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023888Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:20.692{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1999D08E59D487A0437D96883CA8B86,SHA256=716AB1FB7645652DBAF23C8CE135F615722EC8B14B5E3B4E5BAFAA66917A13F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023887Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:17.783{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61992-false10.0.1.12-8000- 23542300x80000000000000008161Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:21.760{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0347C6598063F141CE32572DE6D489AC,SHA256=2C049097DD86E8E5D0094017475A209AE5DCE78F4A444FE0482F0F46D9F53136,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023889Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:21.754{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0AA5A03BFA3B8EB20E5DCAC8702FD0D,SHA256=ADCE513DF0C72D83EC597B3E597EF76286EA36E0220FDF02D3910FE04D36000F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008163Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:22.775{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C2B4640D6668D486A45E009DBAE9835,SHA256=596179E121B8B260D4DC4AF34647502CC62437039E6CDBE05F8A8466E92E993A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023890Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:22.895{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3746F6E8DB693165E33A0C571138F97B,SHA256=A2E425FBCF15E2A7A5E6641103916F81050BBDE0A6FACA0012E610ECC8F4B737,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000008162Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:21.183{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49938-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000008164Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:23.791{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE780CACAF514D6F8BD99809C6530C3C,SHA256=E99048515C0A978D28A72B33AEC38C608D711F02D51AFF20873CFAF37FA98FA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023891Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:23.989{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D6E4B619ABF75A0A7F9289C455EC07D,SHA256=842788F7BC3707D354F67B56F8B7C51B69F44421B43F01BB5D87A366C6E1FCCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008165Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:24.791{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88D2E595BC625A0D6D80A66E30A6B886,SHA256=BEE642ABB40A3F0BDA866A235C0DC7E9B819480CFCD5E3E41B7FAF0C1F22DCF0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023893Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:22.830{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61993-false10.0.1.12-8000- 23542300x800000000000000023892Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:25.036{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DE4DA31193254EA18E21EE683C3C2E4,SHA256=6683E7FD1602F7EFDCD06EC4C04B1F85562CA8F40B91503837CEDE1841010D39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008166Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:26.025{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A31B486268848285099454F29D2866B,SHA256=594F3139BC847C3BB043D2AC41215F8B77D81F5315ECE7270F89B67D21E7F177,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023894Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:26.082{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D429C7AC47F2C90EEF9B5E4ADB1E2CE3,SHA256=2564AA95CC248C855BAD3172EF8D8D12A40F4107657C2CC49229B8F96B76B603,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008167Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:27.244{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=353010C937CB12376DE5B1298610648C,SHA256=7433F1DE754B82EF7EE3935E8441D77752389FE35B021E49499D44F166287F97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023895Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:27.082{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B94EDE9F1A9F95981E12D6B58AB27EC9,SHA256=75BF10D478ED8F4178782DE2AA9CA6375FD1FA53554D643FA0EC516EC214CAF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008169Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:28.478{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D19858CED09A188B31975825EE514B63,SHA256=927E9AF0528AD14078B042D618A9BF7133B054688BCE2DE54FB433981F4A02D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023896Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:28.082{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28C79828AE576C1BB48A9EA344321B9F,SHA256=49FFDAE2BD6C5E519C12542043F10B632C105E20B49234677ABEF973DA5D21A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000008168Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:26.231{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49939-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000008170Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:29.681{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33CED7359EFBF32A1713BF9BEDC083B8,SHA256=BBC0BED4F1439215978922F728C021F4802AAFAF273B39896AF4D3EC3D756FA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023898Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:29.082{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F990FAE8A7F5291FAF0ECEC655B89DB2,SHA256=6A9D6ED84137C88603F093BD35D2E45693D3C85F3A19ED93A3C746FA4ABDE66D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023897Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:29.035{6EDEAD03-0272-615C-3205-00000000FB01}5632ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2021-10-05_074622MD5=4688E8BAC0EC95462972E2FBEB1437C2,SHA256=B1286ECE3E7FB2D5CF11B3417DB2BCD7C0C3E6C09CC46B4CFB58E828086B9BF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008171Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:30.806{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DD8663115CB43DE5F021804AD80FC27,SHA256=07B4280CC4C78BB52016A0CD20F2ECBA9B2CC87F252AFC6F34A9C145F27333F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023899Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:30.098{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBF202FC614C0528C906AC1B882CE4ED,SHA256=6CCD93B8EBEFEDB27738E0999253EF9ADE128107CECBE17D5D24A23C74B0BF35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008172Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:31.806{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=528FAD58351676A002A1DBF0BC348767,SHA256=ECE0328E3EA04A2F8CB97B5D053436EE6A68DAB4233D91801D988923FF7A148D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023901Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:28.752{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61994-false10.0.1.12-8000- 23542300x800000000000000023900Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:31.114{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23CCDF1FAAA15122FC2D76224920BE5F,SHA256=83D0A087F07F498495C1DE9DD17982A4793FD84E510FA4B8BE79909BB36BBE0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008174Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:32.806{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03F35D15C95F469DBC564E5F9FD197CF,SHA256=1A8E75E74E5B1163446942A546C3E52AC4DB59DF07240E95BC54A5421F0B5171,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008173Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:32.197{49C67628-FDEB-615B-1100-00000000FC01}964NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=1BB4E6AC8F581C7F32BD84B5B4E1B823,SHA256=19B7AC4FCD9BDDC6A91002A19B1456B0D8F37C2E24843E69992C6E344CDE5DA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023902Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:32.114{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B033815DE4F52D9844C965C77EE5D99C,SHA256=49DE8BF7C584C601444914F349C0A072FD51CD8F6A15D17F420A0D28D8B30F5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008176Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:33.806{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B76C416211DADAC7E803A645709DDC29,SHA256=21FCDD0EF2C2BF00E8D67ED3B9F4D251F7D77329D1135012145BCB2362FF63C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023903Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:33.114{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3C3EB498E15561FD8DBB2FA750FBB87,SHA256=A11F1164CABD274175F47A76371E3B38ACB4931A079C97B2C9385788B3EB925B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000008175Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:32.058{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49940-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000008177Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:34.806{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C08F77A18B746A85CCF6AF8BD2C1A16,SHA256=BDD0B4D70A2EAE5CCE4058CAFAB808CA53BF0F1C4C899EFEE16094C9944AC655,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023904Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:34.114{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F23A314209BC0C50453805E6B876E95,SHA256=E98CF24122975F0EE0BA94B89DB62E4E58B39690523C19376CC2E76022F6254B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008178Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:35.807{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11C928BA72B03D8D3F61A1DB3036524D,SHA256=D287654CF7AB1D9BFE0D4ECDD7E5C4BA3C8E2FEDE7EFA5563762167DF8E8B886,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023905Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:35.145{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2403C20A6C54486084BCDDABDDBFD22F,SHA256=860AA17BD57930BAF29BDADB3C2360C4984A39945FB248E345214A0FB402F246,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008179Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:36.822{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B14AA9DEC1DCE2B0BDD61A4A03981A53,SHA256=52B1C2A31D2E459C3549B596E939D92BD5D2AE15BFCCDC59311787CB8CB13625,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023907Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:36.176{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF3086E8B2BAF8B27AFC03803C25BF4C,SHA256=A090526B1FE173710444C6D4674DCB819BBCDBB8190BBE8645CC55802E06A6BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023906Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:36.051{6EDEAD03-0272-615C-3205-00000000FB01}5632ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2021-10-05_074622MD5=62DBA4744692A025AD6309828EB6DB84,SHA256=DD9A9780644BAB9B00A1F398A92D297E9BA0F37AC95BF328439DE14747688A5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008180Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:37.827{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AAA2B1A9C9140C56013A60E32403CD5,SHA256=87DB4D920D8AF2C0EE65A27B5ED7DFCD51D682D1D3ABB72BC7AD5D20F8E3BDF3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023909Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:34.783{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61995-false10.0.1.12-8000- 23542300x800000000000000023908Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:37.270{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBE6DCF8E4919087831BBD1D7A13B63F,SHA256=C3C1DFE9F605C8B4B78C4C964C34D2232053C16B897B158AC6103253CBB5F130,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008182Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:38.827{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=382DA637C2BD9EEA3137831FE00F56BA,SHA256=2162CBBB44372D50420721A7501DF5F70D2CC2F5A8A33DE6610A0E033CCED78B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023911Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:38.837{6EDEAD03-FCBF-615B-AF00-00000000FB01}416NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=77A3FAE6E3D081057742F67BE17D48F0,SHA256=B45196262D41012541FDA928C2D6D89C531ACA10A8054FE8E2047913CDE27561,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023910Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:38.305{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1AFABDB7AAD8A9509FD6F3B12AFDF20,SHA256=0BC2676450A27024DB15633733A8101FF997C85C207A5F3EDA2797145599E30A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000008181Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:37.246{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49941-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000008183Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:39.827{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62B490C6F994D5CC46CB3F71F1BB76A8,SHA256=39D94AC947AD2C645CEDF3662E1F835A2E814DD89583322ADB1ED63B96E808C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023912Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:39.337{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5AC217D2195327B9FF231E8B4EC9C79,SHA256=F4AD4DCCD6B74A932C38976F745F2D1CBF8C6017B94005D56C582750C2DB2954,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023922Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:38.428{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61996-false10.0.1.12-8089- 23542300x800000000000000023921Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:40.352{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DFCAF98FA13C585CA61C8ACD1747F86,SHA256=C92A94A2E9B68886F902B118EA35D0087851D152B0E9A33F1FD1C3DCCF281E75,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023920Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:40.337{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-02E0-615C-3E05-00000000FB01}7084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023919Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:40.337{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023918Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:40.337{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023917Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:40.337{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023916Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:40.337{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023915Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:40.337{6EDEAD03-FC1A-615B-0500-00000000FB01}412428C:\Windows\system32\csrss.exe{6EDEAD03-02E0-615C-3E05-00000000FB01}7084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023914Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:40.337{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-02E0-615C-3E05-00000000FB01}7084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000023913Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:40.337{6EDEAD03-02E0-615C-3E05-00000000FB01}7084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000023942Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:41.680{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-02E1-615C-4005-00000000FB01}6092C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023941Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:41.680{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023940Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:41.680{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023939Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:41.680{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023938Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:41.680{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023937Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:41.680{6EDEAD03-FC1A-615B-0500-00000000FB01}412428C:\Windows\system32\csrss.exe{6EDEAD03-02E1-615C-4005-00000000FB01}6092C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023936Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:41.680{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-02E1-615C-4005-00000000FB01}6092C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000023935Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:41.681{6EDEAD03-02E1-615C-4005-00000000FB01}6092C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000023934Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:41.383{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4DC0A8FB69ACC99EFFDFBFE520EC107B,SHA256=87970047BCE5C53B0EB2C71A6C07CCCDAC9528BFF3344BEB3E59C687746D0D97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023933Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:41.383{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF27524CE97C4B123618C0E6C8B26D37,SHA256=99192466E9C2DBF7E19548C8474998B009C6776884C9A480EEE3D7D39B4768FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023932Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:41.368{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=551E1326625DDB53772C80D18260A522,SHA256=AB869D9B869B74186EF3C84E4F7893D78519136ED6AE49C38125E8B655C01B22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008184Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:40.998{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=203C5995F983BBD861DB7019962CB148,SHA256=1AE058520D713E50E1184641E7444269ACB4C9278F6AEB1FF13B1D4917CD623F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023931Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:41.149{6EDEAD03-02E1-615C-3F05-00000000FB01}56802212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023930Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:41.008{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-02E1-615C-3F05-00000000FB01}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023929Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:41.008{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023928Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:41.008{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023927Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:41.008{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023926Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:41.008{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023925Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:41.008{6EDEAD03-FC1A-615B-0500-00000000FB01}4122304C:\Windows\system32\csrss.exe{6EDEAD03-02E1-615C-3F05-00000000FB01}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023924Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:41.008{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-02E1-615C-3F05-00000000FB01}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000023923Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:41.009{6EDEAD03-02E1-615C-3F05-00000000FB01}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000023954Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:42.852{6EDEAD03-02E2-615C-4105-00000000FB01}50766900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000023953Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:42.680{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4DC0A8FB69ACC99EFFDFBFE520EC107B,SHA256=87970047BCE5C53B0EB2C71A6C07CCCDAC9528BFF3344BEB3E59C687746D0D97,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023952Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:42.665{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-02E2-615C-4105-00000000FB01}5076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023951Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:42.665{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023950Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:42.665{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023949Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:42.665{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023948Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:42.665{6EDEAD03-FC1D-615B-0C00-00000000FB01}848880C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023947Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:42.665{6EDEAD03-FC1A-615B-0500-00000000FB01}412428C:\Windows\system32\csrss.exe{6EDEAD03-02E2-615C-4105-00000000FB01}5076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023946Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:42.665{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-02E2-615C-4105-00000000FB01}5076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000023945Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:42.541{6EDEAD03-02E2-615C-4105-00000000FB01}5076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000023944Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:39.788{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61997-false10.0.1.12-8000- 23542300x800000000000000023943Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:42.446{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E20965E926EA91E38D763DF7FA549D9D,SHA256=A289F0BC299C41593169915682CBC84CB3C47B0E5D3FC55C624651FC9ADE5657,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008185Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:42.217{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1004AC358EFBE34F7E8DD268A3E34DDA,SHA256=E22997AB2E6452652AD1224D9B6F34B41D08A33F36AE25AB50223268C0B053CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008187Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:43.452{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C882ECF16510EAC2755D94B1D1F4BD9C,SHA256=8EE1D310A4AB72F9D27C30D404F8995255BAE57BA0095D32C1BD74CEBACB100F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023965Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:43.555{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE826958383763C46E7907BCA4DC5594,SHA256=8823DEC244E1BB26B90990D5F459D5083DEFF705BCBF6D3213970603D1B73B96,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023964Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:43.508{6EDEAD03-02E3-615C-4205-00000000FB01}2884296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023963Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:43.337{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-02E3-615C-4205-00000000FB01}2884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023962Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:43.337{6EDEAD03-FC1D-615B-0C00-00000000FB01}848304C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023961Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:43.337{6EDEAD03-FC1D-615B-0C00-00000000FB01}848304C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023960Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:43.337{6EDEAD03-FC1D-615B-0C00-00000000FB01}848304C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023959Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:43.337{6EDEAD03-FC1D-615B-0C00-00000000FB01}848304C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023958Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:43.337{6EDEAD03-FC1A-615B-0500-00000000FB01}412528C:\Windows\system32\csrss.exe{6EDEAD03-02E3-615C-4205-00000000FB01}2884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023957Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:43.337{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-02E3-615C-4205-00000000FB01}2884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000023956Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:43.337{6EDEAD03-02E3-615C-4205-00000000FB01}2884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000023955Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:43.055{6EDEAD03-0272-615C-3205-00000000FB01}5632ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2021-10-05_074622MD5=9164F08A157D51366281AD47F62D80CE,SHA256=4A59F671D83F03BFA584C8D62CF4121098D8876082D855744084D1C8A728176A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008186Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:43.139{49C67628-FE68-615B-9F00-00000000FC01}1772NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=77A3FAE6E3D081057742F67BE17D48F0,SHA256=B45196262D41012541FDA928C2D6D89C531ACA10A8054FE8E2047913CDE27561,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000008203Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:43.266{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49943-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000008202Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:43.159{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49942-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 10341000x80000000000000008201Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:44.795{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-02E4-615C-6A01-00000000FC01}1344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008200Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:44.795{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008199Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:44.795{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008198Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:44.795{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008197Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:44.795{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008196Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:44.795{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008195Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:44.795{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008194Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:44.795{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008193Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:44.795{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008192Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:44.795{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008191Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:44.795{49C67628-FDEB-615B-0500-00000000FC01}416432C:\Windows\system32\csrss.exe{49C67628-02E4-615C-6A01-00000000FC01}1344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000008190Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:44.795{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-02E4-615C-6A01-00000000FC01}1344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000008189Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:44.796{49C67628-02E4-615C-6A01-00000000FC01}1344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000008188Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:44.655{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34E2B5D138082BF5F4E5396936B49D65,SHA256=68D1CDF3A37986667ABA1582FCDE267BD06266BF7EFD326DA910ED95782A86B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023986Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:44.586{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1303C9586C51C5DF9BCC025BB438711A,SHA256=C46B84D98AF1B0794063997B01A560BE5ECB0E92D364CCC299CF5475AC9373DB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023985Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:44.524{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-02E4-615C-4405-00000000FB01}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023984Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:44.524{6EDEAD03-FC1D-615B-0C00-00000000FB01}848304C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023983Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:44.524{6EDEAD03-FC1D-615B-0C00-00000000FB01}848304C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023982Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:44.524{6EDEAD03-FC1D-615B-0C00-00000000FB01}848304C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023981Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:44.524{6EDEAD03-FC1D-615B-0C00-00000000FB01}848304C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023980Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:44.524{6EDEAD03-FC1A-615B-0500-00000000FB01}412428C:\Windows\system32\csrss.exe{6EDEAD03-02E4-615C-4405-00000000FB01}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023979Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:44.524{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-02E4-615C-4405-00000000FB01}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000023978Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:44.525{6EDEAD03-02E4-615C-4405-00000000FB01}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000023977Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:44.368{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D7DC56CBFAB8C1169A0E94E541F7AED3,SHA256=6182AA2A440873A5EBA4F48EF9FA39E9A1B0A85D753B396FDB9ED53496C8638F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023976Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:44.274{6EDEAD03-0272-615C-3205-00000000FB01}5632ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2021-10-05_074622MD5=D48EEE08294BFD77E2759DB6B67F351B,SHA256=2C9D7A35C48E03F6D6841E32AEE8E156B985F220C9F0A4F8C06BA655278EF4E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023975Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:44.258{6EDEAD03-0272-615C-3205-00000000FB01}5632ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Program Files\ansible\AttackRangeSysmon.xmlMD5=1430C209EFF7FD5583D3D311A56A889C,SHA256=75358E8028A9D2A1CC1782C71200ED0E529269E98BDC3389937C592CA9D2EB8F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023974Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:44.196{6EDEAD03-02E3-615C-4305-00000000FB01}6132724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023973Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:44.024{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-02E3-615C-4305-00000000FB01}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023972Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:44.024{6EDEAD03-FC1D-615B-0C00-00000000FB01}848304C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023971Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:44.024{6EDEAD03-FC1D-615B-0C00-00000000FB01}848304C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023970Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:44.024{6EDEAD03-FC1D-615B-0C00-00000000FB01}848304C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023969Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:44.024{6EDEAD03-FC1D-615B-0C00-00000000FB01}848304C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023968Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:44.024{6EDEAD03-FC1A-615B-0500-00000000FB01}412528C:\Windows\system32\csrss.exe{6EDEAD03-02E3-615C-4305-00000000FB01}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000023967Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:44.024{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-02E3-615C-4305-00000000FB01}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000023966Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:43.901{6EDEAD03-02E3-615C-4305-00000000FB01}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000008220Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:45.936{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A379A3A50F2E36DA614B05B0C5D09C12,SHA256=1B5F715C1DB9443C8AB4EEE081192388661E21139F3F737281B0BA40E923525C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008219Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:45.936{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CCD8EBDDD3ED73CC3456615073B616F,SHA256=BC9452778C2036F892F12290D25D88E6DBEECA5C687141755D00EF554C65F096,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008218Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:45.936{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0A8CDAB4A5A81C018AE81B7542EF7C8D,SHA256=179AB453D846B3EB82D0549D95945D90E64FA254BAF694022900685B55EDE439,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023988Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:45.586{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A993C03AC36558052021F7364E739B73,SHA256=3D5E951DE7AABC430E93182D0D64ADA2F866FE147CC3104F48C3C6B3941ECAC2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000008217Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:45.639{49C67628-02E5-615C-6B01-00000000FC01}7923464C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008216Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:45.467{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-02E5-615C-6B01-00000000FC01}792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008215Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:45.467{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008214Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:45.467{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008213Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:45.467{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008212Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:45.467{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008211Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:45.467{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008210Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:45.467{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008209Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:45.467{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008208Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:45.467{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008207Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:45.467{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008206Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:45.467{49C67628-FDEB-615B-0500-00000000FC01}416432C:\Windows\system32\csrss.exe{49C67628-02E5-615C-6B01-00000000FC01}792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000008205Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:45.467{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-02E5-615C-6B01-00000000FC01}792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000008204Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:45.468{49C67628-02E5-615C-6B01-00000000FC01}792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000023987Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:45.524{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A3F94A72403BB7330DB8FB47D265298,SHA256=B6E735DF2AA0DE7835B6D1D7DA2B32F7E60E2305D96088006D412ADFEF6B5259,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008234Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:46.967{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA6ED3B4902B8FCA51BA00E5A36B21C6,SHA256=5D220826EA926DA2F34DF101DBF54DFD89D5006EA4B3D847AB70F9AC59357270,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023991Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:46.701{6EDEAD03-FC1D-615B-0C00-00000000FB01}848304C:\Windows\system32\svchost.exe{6EDEAD03-FC1D-615B-1600-00000000FB01}1288C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000023990Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:46.590{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=326C7AD86F4E953B7B977043B1B3CC08,SHA256=8BBC12E88C890511B055B4B8807DB973AC495319767B9B7564C2289CD6A38968,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000008233Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:46.139{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-02E6-615C-6C01-00000000FC01}2368C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008232Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:46.139{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008231Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:46.139{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008230Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:46.139{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008229Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:46.139{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008228Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:46.139{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008227Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:46.139{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008226Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:46.139{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008225Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:46.139{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008224Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:46.139{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008223Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:46.139{49C67628-FDEB-615B-0500-00000000FC01}416532C:\Windows\system32\csrss.exe{49C67628-02E6-615C-6C01-00000000FC01}2368C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000008222Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:46.139{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-02E6-615C-6C01-00000000FC01}2368C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000008221Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:46.140{49C67628-02E6-615C-6C01-00000000FC01}2368C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000023989Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:46.513{6EDEAD03-FC2A-615B-3000-00000000FB01}2280NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00ade5b11017bd16f\channels\health\respondent-20211005071805-027MD5=AA6F78CCC35FD74424B933C975A9F779,SHA256=482DFC86E7C4A11E76E3E352EB64B396C84C083D9F57F37823883232EC55A225,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024004Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:47.636{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01AD110A74D4E1EAB9941108A9DF7292,SHA256=E06B87836AD502D123F70D02615153DA31DB2822E62C1B2FE2E4B0C06B7F271F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008249Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:47.295{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A379A3A50F2E36DA614B05B0C5D09C12,SHA256=1B5F715C1DB9443C8AB4EEE081192388661E21139F3F737281B0BA40E923525C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000008248Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:47.271{49C67628-02E7-615C-6D01-00000000FC01}1232936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008247Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:47.077{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-02E7-615C-6D01-00000000FC01}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008246Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:47.077{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008245Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:47.077{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008244Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:47.077{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008243Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:47.077{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008242Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:47.077{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008241Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:47.077{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008240Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:47.077{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008239Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:47.077{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008238Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:47.077{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008237Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:47.077{49C67628-FDEB-615B-0500-00000000FC01}416432C:\Windows\system32\csrss.exe{49C67628-02E7-615C-6D01-00000000FC01}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000008236Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:47.077{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-02E7-615C-6D01-00000000FC01}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000008235Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:47.078{49C67628-02E7-615C-6D01-00000000FC01}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x800000000000000024003Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:46:47.574{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000024002Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:46:47.574{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x001a9c22) 13241300x800000000000000024001Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:46:47.574{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b9b4-0xc45e23e7) 13241300x800000000000000024000Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:46:47.574{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b9bd-0x26228be7) 13241300x800000000000000023999Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:46:47.574{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b9c5-0x87e6f3e7) 13241300x800000000000000023998Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:46:47.574{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000023997Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:46:47.574{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x001a9c22) 13241300x800000000000000023996Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:46:47.574{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b9b4-0xc45e23e7) 13241300x800000000000000023995Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:46:47.574{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b9bd-0x26228be7) 13241300x800000000000000023994Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:46:47.574{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b9c5-0x87e6f3e7) 10341000x800000000000000023993Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:47.542{6EDEAD03-FC1B-615B-0B00-00000000FB01}6364472C:\Windows\system32\lsass.exe{6EDEAD03-FC18-615B-0100-00000000FB01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x800000000000000023992Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:47.515{6EDEAD03-FC2A-615B-3000-00000000FB01}2280NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00ade5b11017bd16f\channels\health\surveyor-20211005071802-028MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000008278Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:48.936{49C67628-02E8-615C-6F01-00000000FC01}1092392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008277Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:48.795{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-02E8-615C-6F01-00000000FC01}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008276Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:48.795{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008275Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:48.795{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008274Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:48.795{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008273Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:48.795{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008272Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:48.795{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008271Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:48.795{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008270Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:48.795{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008269Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:48.795{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008268Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:48.795{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008267Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:48.795{49C67628-FDEB-615B-0500-00000000FC01}416432C:\Windows\system32\csrss.exe{49C67628-02E8-615C-6F01-00000000FC01}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000008266Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:48.795{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-02E8-615C-6F01-00000000FC01}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000008265Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:48.796{49C67628-02E8-615C-6F01-00000000FC01}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000008264Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:48.639{49C67628-02E8-615C-6E01-00000000FC01}13883140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008263Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:48.295{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-02E8-615C-6E01-00000000FC01}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008262Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:48.295{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008261Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:48.295{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008260Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:48.295{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008259Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:48.295{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008258Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:48.295{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008257Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:48.295{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008256Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:48.295{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008255Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:48.295{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008254Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:48.295{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008253Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:48.295{49C67628-FDEB-615B-0500-00000000FC01}416532C:\Windows\system32\csrss.exe{49C67628-02E8-615C-6E01-00000000FC01}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000008252Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:48.295{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-02E8-615C-6E01-00000000FC01}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000008251Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:48.296{49C67628-02E8-615C-6E01-00000000FC01}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000008250Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:48.202{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F6DF61ED5D9C26A18C380234E38B019,SHA256=FE1489048ECB2921F950C59295DA3A3E89490A6A27AF5D4CC39758FDE81B808B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024009Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:47.053{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local61999-truefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local389ldap 354300x800000000000000024008Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:47.053{6EDEAD03-FC1D-615B-1600-00000000FB01}1288C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local61999-truefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local389ldap 354300x800000000000000024007Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:45.773{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local61998-false10.0.1.12-8000- 23542300x800000000000000024006Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:48.640{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED6776B9D85A46218457FFF8CC42D76D,SHA256=EFBE7EA1F8744306C9898FD7DC1F008094EC4795A29B6018368D9AEDE0ADFDEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024005Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:48.437{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=19E59360C236AA6930E44C9C539BBDC7,SHA256=E6EBBC775CD50EF183018F6F7CC9AE812309C23156F0AD7B923664DBA6921DF1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000008293Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:49.717{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-02E9-615C-7001-00000000FC01}724C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008292Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:49.717{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008291Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:49.717{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008290Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:49.717{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008289Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:49.717{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008288Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:49.717{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008287Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:49.717{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008286Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:49.717{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008285Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:49.717{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008284Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:49.717{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008283Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:49.717{49C67628-FDEB-615B-0500-00000000FC01}416532C:\Windows\system32\csrss.exe{49C67628-02E9-615C-7001-00000000FC01}724C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000008282Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:49.717{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-02E9-615C-7001-00000000FC01}724C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000008281Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:49.719{49C67628-02E9-615C-7001-00000000FC01}724C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000008280Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:49.717{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=677AF8A862A6FA7085582F0DA90FE6C9,SHA256=CD565A0B72F1AF023491434DFECA1837A76213BF715A020CBADDCC35F445C812,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024040Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:49.718{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6E-615B-2103-00000000FB01}5980C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024039Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:49.718{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6E-615B-2103-00000000FB01}5980C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024038Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:49.718{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6E-615B-2103-00000000FB01}5980C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024037Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:49.718{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6E-615B-2103-00000000FB01}5980C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024036Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:49.718{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6E-615B-2103-00000000FB01}5980C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024035Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:49.718{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6E-615B-2103-00000000FB01}5980C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024034Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:49.718{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6E-615B-2103-00000000FB01}5980C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024033Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:49.718{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6E-615B-2103-00000000FB01}5980C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024032Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:49.718{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024031Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:49.718{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024030Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:49.718{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024029Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:49.718{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024028Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:49.718{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024027Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:49.718{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024026Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:49.718{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024025Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:49.718{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024024Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:49.718{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024023Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:49.718{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024022Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:49.718{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024021Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:49.718{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024020Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:49.718{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024019Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:49.718{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024018Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:49.718{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024017Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:49.718{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024016Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:49.718{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024015Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:49.718{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000024014Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:47.154{6EDEAD03-FC18-615B-0100-00000000FB01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local62001-truefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local445microsoft-ds 354300x800000000000000024013Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:47.153{6EDEAD03-FC18-615B-0100-00000000FB01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local62001-truefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local445microsoft-ds 354300x800000000000000024012Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:47.060{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:2c9d:2f3c:f5ff:fef1win-dc-676.attackrange.local62000-true2001:0:2851:782c:2c9d:2f3c:f5ff:fef1win-dc-676.attackrange.local389ldap 354300x800000000000000024011Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:47.060{6EDEAD03-FC1D-615B-1600-00000000FB01}1288C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:2c9d:2f3c:f5ff:fef1win-dc-676.attackrange.local62000-true2001:0:2851:782c:2c9d:2f3c:f5ff:fef1win-dc-676.attackrange.local389ldap 23542300x800000000000000024010Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:49.687{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33AFB1E093AE5B666F3804061B35E828,SHA256=FB606B078CC1625061637A8D3274D29D30C66A409D31B4B3584417D2B0C6A4EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008279Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:49.295{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B252D265203CB4AA92BEB3DF17029568,SHA256=1B774D329371F5214D4569AFBFA59D9B646B966E444543D01B4370C2FA7BDA49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008296Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:50.764{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=589839A6BCABD94DC4379C5F3FD93A84,SHA256=D98CFE7899527920D42D0C05A8EF626587C3DEC7711A71A4F40AD553CA5D6E1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008295Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:50.717{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BDBFFAED64455AC262D0E021D024BF8,SHA256=543E27FF73A410E8DEFF40E484C6B7049BC9710809FC23C815E1F42ABB6CDDD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024071Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:50.734{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B68A12FB8FA255D9D4C90D396DCD7022,SHA256=82B0CF6B390C9ED71B3027BD4DDE3A9C9A3B562EAAA918709F5BE5A3B99A606B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000008294Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:48.282{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49944-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000024070Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:50.640{6EDEAD03-FC1D-615B-0D00-00000000FB01}9082492C:\Windows\system32\svchost.exe{6EDEAD03-FC1D-615B-1100-00000000FB01}480C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024069Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:50.640{6EDEAD03-FC1D-615B-0D00-00000000FB01}9082492C:\Windows\system32\svchost.exe{6EDEAD03-FC1D-615B-1600-00000000FB01}1288C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000024068Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:50.422{6EDEAD03-FC1D-615B-1200-00000000FB01}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=5C2BBBEA6DE1FE9CA992DC6F32591AC4,SHA256=3A6659A6708A92E440E41C1B7BF0D5E5784950E51ACA4062B46CA6FE4A060A50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024067Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:50.234{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A073E4E3D59950A3F39F84BECFB771DB,SHA256=BC57B497ACFDC7846D1DF5752C862B60048095603E4E6770861F3D5F531A5EE9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024066Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:50.188{6EDEAD03-FF62-615B-F802-00000000FB01}50524504C:\Windows\Explorer.EXE{6EDEAD03-02EA-615C-4505-00000000FB01}1884C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024065Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:50.188{6EDEAD03-FF62-615B-F802-00000000FB01}50524504C:\Windows\Explorer.EXE{6EDEAD03-02EA-615C-4505-00000000FB01}1884C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024064Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:50.188{6EDEAD03-FF62-615B-F802-00000000FB01}50524504C:\Windows\Explorer.EXE{6EDEAD03-02EA-615C-4505-00000000FB01}1884C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024063Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:50.188{6EDEAD03-FF62-615B-F102-00000000FB01}49805088C:\Windows\System32\taskhostw.exe{6EDEAD03-02EA-615C-4605-00000000FB01}3588C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024062Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:50.188{6EDEAD03-FF62-615B-F102-00000000FB01}49805088C:\Windows\System32\taskhostw.exe{6EDEAD03-02EA-615C-4605-00000000FB01}3588C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024061Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:50.172{6EDEAD03-FF62-615B-F802-00000000FB01}50525852C:\Windows\Explorer.EXE{6EDEAD03-02EA-615C-4505-00000000FB01}1884C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024060Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:50.172{6EDEAD03-FF62-615B-F802-00000000FB01}50525852C:\Windows\Explorer.EXE{6EDEAD03-02EA-615C-4505-00000000FB01}1884C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024059Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:50.172{6EDEAD03-FF62-615B-F802-00000000FB01}50525852C:\Windows\Explorer.EXE{6EDEAD03-02EA-615C-4505-00000000FB01}1884C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024058Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:50.156{6EDEAD03-FF62-615B-F802-00000000FB01}50525852C:\Windows\Explorer.EXE{6EDEAD03-02EA-615C-4505-00000000FB01}1884C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024057Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:50.156{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-02EA-615C-4605-00000000FB01}3588C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024056Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:50.156{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-02EA-615C-4605-00000000FB01}3588C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024055Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:50.156{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-02EA-615C-4605-00000000FB01}3588C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024054Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:50.156{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-02EA-615C-4605-00000000FB01}3588C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024053Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:50.140{6EDEAD03-FC1D-615B-1600-00000000FB01}12881440C:\Windows\System32\svchost.exe{6EDEAD03-02EA-615C-4605-00000000FB01}3588C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024052Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:50.140{6EDEAD03-FC1D-615B-1600-00000000FB01}12881316C:\Windows\System32\svchost.exe{6EDEAD03-02EA-615C-4605-00000000FB01}3588C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024051Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:50.140{6EDEAD03-02EA-615C-4605-00000000FB01}35886968C:\Windows\system32\conhost.exe{6EDEAD03-02EA-615C-4505-00000000FB01}1884C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024050Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:50.125{6EDEAD03-FF5F-615B-E202-00000000FB01}9723852C:\Windows\system32\csrss.exe{6EDEAD03-02EA-615C-4605-00000000FB01}3588C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000024049Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:50.125{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024048Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:50.125{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024047Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:50.125{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024046Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:50.125{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024045Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:50.125{6EDEAD03-FF5F-615B-E202-00000000FB01}9724272C:\Windows\system32\csrss.exe{6EDEAD03-02EA-615C-4505-00000000FB01}1884C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000024044Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:50.125{6EDEAD03-FF62-615B-F802-00000000FB01}50525728C:\Windows\Explorer.EXE{6EDEAD03-02EA-615C-4505-00000000FB01}1884C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+204ae4|C:\Windows\System32\windows.storage.dll+ad62a|C:\Windows\System32\windows.storage.dll+ad3e2|C:\Windows\System32\SHELL32.dll+3f8bd|C:\Windows\System32\SHELL32.dll+3e456|C:\Windows\System32\SHELL32.dll+801d1|C:\Windows\System32\SHELL32.dll+6716e|C:\Windows\System32\SHELL32.dll+1757a0|C:\Windows\System32\SHELL32.dll+17c27c|C:\Windows\System32\SHELL32.dll+19ea38|C:\Windows\System32\SHELL32.dll+17c416|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07 154100x800000000000000024043Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:50.131{6EDEAD03-02EA-615C-4505-00000000FB01}1884C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon"C:\Windows\system32\ATTACKRANGE\Administrator{6EDEAD03-FF61-615B-7756-1D0000000000}0x1d56772HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x800000000000000024042Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:50.000{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=3DD8921DE62A92553000A9151C1D18B2,SHA256=2CF5C17950CBDF650BB21D96C78CA976E55978FE55E85F5CCD5AD8363DD18583,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024041Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:50.000{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=9B9C06D804F28844F8B5C8F346B4EB0B,SHA256=08D1B047A35A9D03D7997F35503F9DF93466A1CBD6105A2B59C4A3008837A204,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008297Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:51.873{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9073B13B244757CDF79CD1DE7A76596F,SHA256=318D8F51AB612B6867251F30112D77EC3A7F5A846A591221BF089B14A629AC04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024073Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:51.750{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57A7D5A473044F1C944D6BE0153F6AD0,SHA256=9CBF5AEAE52191AE6592F37AF965C130A8DBE2F7C479D17D40F112972F33FC06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024072Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:51.203{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=10B3609BDC20B66C82E942B7E0381363,SHA256=79237C53C6BDB4DBDA0182A5478D57DED73244541FEACCE7871A983795BFB1A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008298Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:52.873{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42F94D57AED95519A3A236BE587AD149,SHA256=CBDDE438AF0A0DA5DDCADD9E48FC0D6E216060451AB58FD5FC95753E327E891D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024074Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:52.828{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB3263D5FB852157D5E652147ABB8355,SHA256=F8C9C765A126C348869D5A746756DFC8A815E1946BB0BD01ADB0FC6A0CE0D99C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008299Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:53.920{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41DB96A2C74004835B47D3592EA545E5,SHA256=7C1EAE7819A7A6EEDFD8CE402058C2B504D85B1A1561586056284DE76959D889,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024076Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:53.875{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F9DAD7FC040D643819692B1768A0003,SHA256=C436D64F0933919E0208FA479511EF870E7917EC31B212644C2758503988A54B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024075Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:51.779{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local62002-false10.0.1.12-8000- 23542300x80000000000000008300Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:54.936{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CF8305F1B0A7CFDDB480F09C492DC06,SHA256=636B14D24CA61F83BB3FD1BCFE9EB8DBD2717F93E9E53BFED43F1C6C96E49B03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008302Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:55.936{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=248EA771A62459D1B0ABFDF4EDDACC30,SHA256=B09FAB0F191A5230065CDCD387F7AD64CB33043EA3DB9A8F1DA7C1A66B0E58E8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024079Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:53.918{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-676.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal63182- 354300x800000000000000024078Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:53.917{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-676.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal65377- 23542300x800000000000000024077Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:55.109{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=592F87529BA4A4B4B6B0BB0E84EB1AA5,SHA256=70563060B293180AC45E325E4BCA09089919FBFEABC807253D7FEDB2BA254558,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000008301Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:54.063{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49945-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000008305Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:56.936{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A441F5DC151E8125EEF7D66EA15DF76F,SHA256=03C2218525B8DE39732BBFBF62E036BEC232037F1722589F01F44D2EF742A362,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024080Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:56.125{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=937048A9799133F9830998D206EA41A5,SHA256=C9899124DF5E7A8BB035A63E8AC63767CC3C7604F035605193D10BA627B1C938,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000008304Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:54.333{49C67628-FDEC-615B-1600-00000000FC01}1196C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse10.0.1.15win-host-340.eu-central-1.compute.internal65377-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal53domain 354300x80000000000000008303Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:54.332{49C67628-FDEC-615B-1600-00000000FC01}1196C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:c8d0:3bab:81b5:ffff-65377-truea00:10e:4e00:6100:7400:6900:7600:6500-53domain 23542300x80000000000000008306Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:57.949{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97A8F3A8772327D3DFC963AFAFAC4A5A,SHA256=5E3D7ED4ADF3B7707EE56D54DF8DEE44F832E39D041E7791FF13760C39ACFC07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024081Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:57.156{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BD2D8EA77BF2600221AA719489448A5,SHA256=5AAECFDDB25082DE75F432452B982EF178026D4D712A00AE84F6809EB67A8514,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008307Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:58.949{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FE37A408C6148400C33C9687D26EC1E,SHA256=7AF5EB89221D81F1447EA2B24D2E069805199578289AC9C98095396CEA91F01B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024092Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:58.631{6EDEAD03-FF62-615B-F802-00000000FB01}50525728C:\Windows\Explorer.EXE{6EDEAD03-02EA-615C-4505-00000000FB01}1884C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+8a12e|C:\Windows\System32\ole32.dll+89a2b|C:\Windows\System32\ole32.dll+88be7|C:\Windows\System32\ole32.dll+8c817|C:\Windows\System32\SHELL32.dll+2c8e7d|C:\Windows\System32\SHELL32.dll+283a3e|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\System32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9 10341000x800000000000000024091Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:58.631{6EDEAD03-FF62-615B-F802-00000000FB01}50525728C:\Windows\Explorer.EXE{6EDEAD03-02EA-615C-4505-00000000FB01}1884C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+b5f02|C:\Windows\System32\ole32.dll+899f9|C:\Windows\System32\ole32.dll+88be7|C:\Windows\System32\ole32.dll+8c817|C:\Windows\System32\SHELL32.dll+2c8e7d|C:\Windows\System32\SHELL32.dll+283a3e|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\System32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9 10341000x800000000000000024090Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:58.427{6EDEAD03-FF62-615B-F802-00000000FB01}50525728C:\Windows\Explorer.EXE{6EDEAD03-02EA-615C-4505-00000000FB01}1884C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+8a220|C:\Windows\System32\ole32.dll+8c32e|C:\Windows\System32\ole32.dll+8c7fb|C:\Windows\System32\SHELL32.dll+2c8e7d|C:\Windows\System32\SHELL32.dll+283a3e|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\System32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+5888a 10341000x800000000000000024089Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:58.427{6EDEAD03-FF62-615B-F802-00000000FB01}50525728C:\Windows\Explorer.EXE{6EDEAD03-02EA-615C-4505-00000000FB01}1884C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c1a5|C:\Windows\System32\ole32.dll+8c7fb|C:\Windows\System32\SHELL32.dll+2c8e7d|C:\Windows\System32\SHELL32.dll+283a3e|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\System32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x800000000000000024088Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:58.381{6EDEAD03-FC1D-615B-1600-00000000FB01}12881440C:\Windows\System32\svchost.exe{6EDEAD03-02F2-615C-4705-00000000FB01}6420C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024087Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:58.381{6EDEAD03-FC1D-615B-1600-00000000FB01}12881316C:\Windows\System32\svchost.exe{6EDEAD03-02F2-615C-4705-00000000FB01}6420C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024086Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:58.381{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-02F2-615C-4705-00000000FB01}6420C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024085Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:58.365{6EDEAD03-FF5F-615B-E202-00000000FB01}9723852C:\Windows\system32\csrss.exe{6EDEAD03-02F2-615C-4705-00000000FB01}6420C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000024084Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:58.365{6EDEAD03-FC1A-615B-0500-00000000FB01}412528C:\Windows\system32\csrss.exe{6EDEAD03-02F2-615C-4705-00000000FB01}6420C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000024083Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:58.365{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-02F2-615C-4705-00000000FB01}6420C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366e9|c:\windows\system32\rpcss.dll+3bed2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000024082Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:58.193{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C5EEA6FA2DB458882500C515B2EDB5D,SHA256=CAEDAFE92D8D49BEEAB75C430C1D7DE0D4A94197082D4823886E8322A501AC30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008308Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:46:59.965{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B370B7D84702DD3D3D806499050E570E,SHA256=D71E32B3D3FB7357CF13121D1D2433D01EC201C399B1EC19FA412860FA88BA9A,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000024123Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:46:59.849{6EDEAD03-02F3-615C-4805-00000000FB01}5164C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigHashSHA256=2C9D7A35C48E03F6D6841E32AEE8E156B985F220C9F0A4F8C06BA655278EF4E5 13241300x800000000000000024122Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:46:59.849{6EDEAD03-02F3-615C-4805-00000000FB01}5164C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigFileC:\Program Files\ansible\AttackRangeSysmon.xml 13241300x800000000000000024121Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:46:59.849{6EDEAD03-02F3-615C-4805-00000000FB01}5164C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\RulesBinary Data 13241300x800000000000000024120Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:46:59.849{6EDEAD03-02F3-615C-4805-00000000FB01}5164C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\DnsLookupBinary Data 13241300x800000000000000024119Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:46:59.849{6EDEAD03-02F3-615C-4805-00000000FB01}5164C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\CheckRevocationBinary Data 13241300x800000000000000024118Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:46:59.849{6EDEAD03-02F3-615C-4805-00000000FB01}5164C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\HashingAlgorithmDWORD (0x8000000e) 16341600x800000000000000024117Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local2021-10-05 07:46:59.849C:\Program Files\ansible\AttackRangeSysmon.xmlSHA256=2C9D7A35C48E03F6D6841E32AEE8E156B985F220C9F0A4F8C06BA655278EF4E5 13241300x800000000000000024116Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:46:59.849{6EDEAD03-02F3-615C-4805-00000000FB01}5164C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\OptionsDWORD (0x00000007) 12241200x800000000000000024115Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-DeleteValue2021-10-05 07:46:59.849{6EDEAD03-02F3-615C-4805-00000000FB01}5164C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\Rules 12241200x800000000000000024114Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-DeleteValue2021-10-05 07:46:59.849{6EDEAD03-02F3-615C-4805-00000000FB01}5164C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\DnsLookup 12241200x800000000000000024113Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-DeleteValue2021-10-05 07:46:59.849{6EDEAD03-02F3-615C-4805-00000000FB01}5164C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\CheckRevocation 12241200x800000000000000024112Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-DeleteValue2021-10-05 07:46:59.849{6EDEAD03-02F3-615C-4805-00000000FB01}5164C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\HashingAlgorithm 12241200x800000000000000024111Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-DeleteValue2021-10-05 07:46:59.849{6EDEAD03-02F3-615C-4805-00000000FB01}5164C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\Options 10341000x800000000000000024110Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:59.802{6EDEAD03-02EA-615C-4605-00000000FB01}35886968C:\Windows\system32\conhost.exe{6EDEAD03-02F3-615C-4805-00000000FB01}5164C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024109Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:59.802{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024108Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:59.802{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024107Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:59.802{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024106Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:59.802{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024105Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:59.802{6EDEAD03-FF5F-615B-E202-00000000FB01}9723852C:\Windows\system32\csrss.exe{6EDEAD03-02F3-615C-4805-00000000FB01}5164C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000024104Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:59.787{6EDEAD03-02EA-615C-4505-00000000FB01}18843628C:\Windows\system32\cmd.exe{6EDEAD03-02F3-615C-4805-00000000FB01}5164C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000024103Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:59.769{6EDEAD03-02F3-615C-4805-00000000FB01}5164C:\Program Files\ansible\sysmon\Sysmon64.exe13.01System activity monitorSysinternals SysmonSysinternals - www.sysinternals.com-Sysmon64.exe -c "C:\Program Files\ansible\AttackRangeSysmon.xml"C:\Program Files\ansible\sysmon\ATTACKRANGE\Administrator{6EDEAD03-FF61-615B-7756-1D0000000000}0x1d56772HighMD5=8A914CFB7496B8461285C009DD8F5627,SHA256=422EC998FED690C2EC3239A4BB80075F098A9A95CBDFFBC873365B9F7136A02A,IMPHASH=DCF866F4139DD7FF6C0A5D4FA050CD7A{6EDEAD03-02EA-615C-4505-00000000FB01}1884C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon" 23542300x800000000000000024102Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:59.318{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1344426DE882B53EA6E72D44513CDD01,SHA256=195837A8A93012254248F34A282A295F095CA1D816AD7A78826EF557C2ED300C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024101Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:59.318{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF2307481D593A106FA4B4E44619D411,SHA256=A0B1C2B5F52D19EA25C453CEC219F69D8A36DF2D2AC293D15178F3EDB8A77010,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024100Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:59.209{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7A26F584578068AA4D4BA3702FC3F5C,SHA256=BD294E19252A22AD089980F04649F8E3351121E882D94A0E83DB6EC66ED4753E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024099Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:59.115{6EDEAD03-FF62-615B-F802-00000000FB01}50524504C:\Windows\Explorer.EXE{6EDEAD03-02EA-615C-4505-00000000FB01}1884C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024098Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:59.115{6EDEAD03-FF62-615B-F802-00000000FB01}50524504C:\Windows\Explorer.EXE{6EDEAD03-02EA-615C-4505-00000000FB01}1884C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024097Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:59.115{6EDEAD03-FF62-615B-F802-00000000FB01}50524504C:\Windows\Explorer.EXE{6EDEAD03-02EA-615C-4505-00000000FB01}1884C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024096Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:59.115{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-02EA-615C-4605-00000000FB01}3588C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024095Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:59.115{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-02EA-615C-4605-00000000FB01}3588C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024094Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:59.115{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-02EA-615C-4605-00000000FB01}3588C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024093Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:59.115{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-02EA-615C-4605-00000000FB01}3588C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000008309Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:00.965{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFE93D88D3AFD9AD13DB977F8D3600A4,SHA256=2F7A9946497ECD870825EBA72382C611A5B9B7CE7C0DAF8A1A501718FA85032B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024126Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:00.771{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1344426DE882B53EA6E72D44513CDD01,SHA256=195837A8A93012254248F34A282A295F095CA1D816AD7A78826EF557C2ED300C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024125Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:00.334{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF4CFC58893EF1AC48D995D87674ED6D,SHA256=34EEF485107AA5B2A9E37288F2EB9B6B332BAC5093E576E504B6C90A56D8F347,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024124Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:46:57.660{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local62003-false10.0.1.12-8000- 23542300x80000000000000008311Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:01.965{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9E8C011E5FA1B52429D2A121DA825CB,SHA256=2CC62A5D28999D26E4E2AEC3BC1C8EC35C6CE21542DB06DD7DD9EB6D43381637,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024127Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:01.349{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05F004A5445F2DE0A4B45CF44B50D1A3,SHA256=69D7DE70FA3515C8FDFE820D02DA340E84A42D85F2CE279F03C847FF7110424F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000008310Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:00.076{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49946-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000008312Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:02.965{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D00E709A58FDCB2F48788E7C4046029D,SHA256=9BE6D3EF6CAF75D1F8B872544908CD28C5C2D70E9F99898D723B7C07E26EF7A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024128Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:02.349{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9624D067B84716E656B9B53DF0470991,SHA256=50F037EF287A5FC07EAF4D66F59C71610438B358B19AAB9043C70DB0E553F41C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008313Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:03.965{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C125CD96F2276F52AB6EE370C4EA8DF1,SHA256=897517B6D7B468103C2A2A572E4EBCCB0E94F58376FA23CFBDCDCF5D8AD90010,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024129Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:03.349{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=048FDA1741E11C86F563AB8F41D4E978,SHA256=6FD14D35320B3A55E1A19F90057B5E310807DE8D214B57E2D103157F69D74A0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008314Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:04.966{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B34595E7C0D6AE832BC2E8322D205DB2,SHA256=CAE3D24499801BE52198A7D9D5C6C77DCA01F05ECA7131CF14031D7FA102280B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024130Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:04.365{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DE33A1AAD2786A47288F321A702829C,SHA256=ABA2D163EEECCA09B3F862CEBC92CC1F18AA7DB90310230203EB8FBECE3F43D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008316Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:05.981{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3852F7DA9708FC1E832F572355CA2B4,SHA256=DFF482ECE968C65D269E22F3259BEB7FD47B5B00483633B4A0DF9D28616027DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024132Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:05.365{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1538B4ADF44DFFFCFCF6D324750A3F7E,SHA256=41FB7A1D5EDC7972CF5086F1494AE08D52FCFBE4C3ADE00E54E64903D449A10D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008315Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:05.202{49C67628-FDEC-615B-1F00-00000000FC01}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04b3958ebc31dc11b\channels\health\respondent-20211005072534-020MD5=9DBD3CF651CAD1963D7DD9E70795396E,SHA256=D00FE5240C0E39CC33FD8ADFFDA13197E8833401D0A3D05F731F6A79B8E00229,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024131Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:02.738{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local62004-false10.0.1.12-8000- 23542300x800000000000000024133Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:06.412{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=352B0CD9AC90105816C0D0CEFD143659,SHA256=11CE93AB80B013C5986E8BF27C1C2FA10FC39FAEA4F284A737B0439DBD5016BB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000008318Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:05.295{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49947-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000008317Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:06.217{49C67628-FDEC-615B-1F00-00000000FC01}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04b3958ebc31dc11b\channels\health\surveyor-20211005072532-021MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008320Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:07.997{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6FC3BEC4CE44D1DEDB376C736155E11,SHA256=0FABD423AE08BCF82A28426076109DF285174181BB2ADBB904BC8E46AE669F29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024134Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:07.443{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=387562D71B33338587DAC8B63995325D,SHA256=5B2D3D140B4FDFF40CE90E42F3092FECB6E1504356B6AA0A432DB20D2BC24214,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008319Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:06.997{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CBA93D358D1A0463B53197DE7ACC64B,SHA256=C7F77FDE10DBCF59F0AB418B1A6E612435BA7EF6650DCBFCF4C47973DBC4C451,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008321Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:08.997{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A8F08E5DB283E5FA04AAAFFA837548C,SHA256=EC043773361AE871EE5D1DDB82D093FA2AD11DEAAC441CDB7555026C67389272,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024135Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:08.474{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A84490232D2D3A60ED67E27614FAEB8,SHA256=F22D4EF841E56501047581A48CCE073AABC5657074ECA1A10E8877575CB813AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008322Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:09.997{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DEF357F6B2F1395A1A00658F4A8250D,SHA256=F757A79601260551A84BED42EBDAD9C77A57F9EDAE912CBF6CDC8CE703CBD47D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024137Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:09.521{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=729AA2CF137C9FB3A0DEE0A663046A57,SHA256=8521C7811CB0441B6FCBD1D2E38762A44ADA0DDF3C30B4E078EC5C630DAD61B4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024136Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:07.769{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local62005-false10.0.1.12-8000- 23542300x80000000000000008323Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:10.997{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A009044625A44599D4FAA127B959E224,SHA256=8D29032CA2B4163A967863999AB33D9417BB1278421242624BEC3F4F49752DC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024138Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:10.537{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B35B726C9E95BE891A3A07E27CAF1882,SHA256=E7F40802655DDC15BA9676C2C3F8608B48CF03D734BF254D6A5B33C75789E357,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008324Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:11.997{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F59C9BFF3267A596C8C00D667ECCE8F8,SHA256=064BC543BE955291DE82752078E88BBB9DF6BED4B58A139FA9FCBFC7859D8D7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024139Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:11.568{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82B26CB64CAFE26325A9C6222F70ABB7,SHA256=5CB490D6D306F2F09DD002C7C69FDD62C6E39DD5F7E7285992D719A2EC532A31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024140Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:12.615{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09C9A638C28DEF76340B2C69BF37F2A9,SHA256=4362ED784509AA22A475863CAD219445B103DACBF66E4DF510CEAA4E805958B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000008325Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:11.280{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49948-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000008327Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:13.997{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAE7D3BF67EC70C48B1A1F07DB93DA73,SHA256=2C0D9A36EED5B47E9A0053A5F43A42776568636FF1FFE5FC76C47F0E74DABF89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024141Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:13.630{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F304A0D6F3CF2992E2D8781E991D6726,SHA256=4BA77A9177A639130AB34D7A78C6BFD27AD7E6543F10020DCAE33F91DFA14298,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008326Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:12.997{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF282E843B00D51554630F9B383EE09C,SHA256=A38151E98A8224CEDFF5419DB2844B05BE1D70F6E2938BCF9FCECA0C5CA0C7D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024143Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:14.662{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=515E225C681BDB3985DE2ED849FED0A7,SHA256=B526BEC936D2F3983EEB663F024B32511BA6F3261DF96F987092D7869701CC28,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024142Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:12.816{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local62006-false10.0.1.12-8000- 23542300x800000000000000024144Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:15.677{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36D0D4CC3BD0D84025C3073CB824DDD6,SHA256=91A7FCA18A088F019EB28A85205C32494E9F05F6AA41A1B7C7F3C6D24B0B07D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008328Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:15.012{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E124654B44CB72CD9D868DD1C8785CD8,SHA256=2667EE6D52D8132C6D418F83CBE7C85FFE5A5009C2578BD0F4AC64E680C02D43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024145Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:16.693{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5947FFE7B3A24AA2BC78645FA76FC7BE,SHA256=855332050AF422200B147F2A148B5EE6D367BAE0A9157324070A7A23A0B81E4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008329Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:16.028{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=830FF32E1E14A0AE2A58C6312567EBC4,SHA256=8E206AE0333F8470EF8A7D88E5CEE85AC93E6BB8FB231B0EF739544D50D8E0E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024150Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:17.706{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77B9A6D416D3222780726039EFBFE398,SHA256=5F05DE1F1D0100D87726F8DEC7E7C8CABFD7ECB06A4F9A47619F0D44418F5149,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008330Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:17.028{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A42BAFE48AA5B5E16AAEB4A8A4AB38C,SHA256=A69DCA9268AEE5A7907BE341EBA626ACD79806070817B2E7259325372DA0262B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024149Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:15.941{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local62007-true0:0:0:0:0:0:0:1win-dc-676.attackrange.local389ldap 354300x800000000000000024148Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:15.941{6EDEAD03-FC2A-615B-2900-00000000FB01}2912C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local62007-true0:0:0:0:0:0:0:1win-dc-676.attackrange.local389ldap 23542300x800000000000000024147Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:17.568{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=40442DD8F757DECE3E08AF0473181A35,SHA256=2585D3C37556D7157CC8E4087073F56AE2B267E5D728BFFA74088FB2C587A03D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024146Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:17.568{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B08F1DFED31FCF1841400E14B398FA1A,SHA256=CC176DDF11638BD797C1B89EEE74F9DFB9AAD5F508666334EEDF5D14206F7A22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024151Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:18.722{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC09601D967C421BF87DA35E3D97CE46,SHA256=5BEE89DC240CE82FFE0DE42E6BD48166500AD32CEDE1F2F448338524DAF9D4C8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000008332Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:17.186{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49949-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000008331Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:18.040{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0A3A46218E2E3188CAAF8FEF99B8191,SHA256=CF42F76A1996B2433EB83A5F4C44D282335440216EA53872CCC10EE28FF61613,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024152Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:19.722{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33CDD5FA7C6C98164BD0AAD611960991,SHA256=442511E1BAB8210314641A8BAF8C169E4FDDFD7330245A1A5FE04D0E424571DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008333Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:19.040{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BD008BA74BB8756FD102B83936893DF,SHA256=B7A3DE9B7B21F1C93DA2518E46329BA6985BD754DE21B6AC28ECA94EE6F574FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024153Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:20.769{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A4D0AF966C298BEE969A402AF1E3E89,SHA256=D1D0FD88DA0D26B2A3E693664DBD3BF650297BD184DF680422A44F74AC7FB8A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008334Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:20.040{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55951F8A938BB27EBE6B5174AFFC34DC,SHA256=0BAD1A1B1164A5029039CEDA4CEE140870F9DD84DE0A8B23CE8BC90CC7A39D3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024155Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:21.784{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6073F228B705FF9B2D3A2931B575CC35,SHA256=FEDE1C6F34AD83070AAE416BF749386104A218DAEDEEEA04C65DC98FC683383B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024154Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:18.847{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local62008-false10.0.1.12-8000- 23542300x80000000000000008335Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:21.056{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB4035D2A1FC75CEBC8461F54EDC8105,SHA256=550A827AFB9D6A0BFA3AE969E62575F9BF44937A37A93214B89282DA513F95ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024156Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:22.863{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44E27AE401E33E13776045DDAFFDD290,SHA256=D14CC75CCFE80C7289998D91BBED10CA96BF98DA2DC8547FB545213460043EA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008336Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:22.056{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91EB1E90FAE396FD2D81CA76093F2E07,SHA256=CC7F7730BBCDAC220463C50833484404100D3D401DD6E4CD69156D67948960C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024157Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:23.863{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE5074F8B390C540C2A6D1ABE7880839,SHA256=A896119355B0EEE9BC98C2C0FD2E214CD3509E0881B7651C4B14E00270954FCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008337Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:23.056{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6EDCD4812E07FF38C284CB38BD4C736,SHA256=3AF3B9876C8DB366E6D6BF309EFFDD0D0892A2F2A67683D70798F1B8284849DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008338Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:24.072{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43929F0D89CF8D9FEFA9F9CFF4B999D8,SHA256=150588FF0045DABAC7DB80141F87AC8BFCE0DAA0D4E53190AC2D3CA218FE7706,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000024159Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:47:25.722{6EDEAD03-FC1D-615B-1100-00000000FB01}480C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b9bd-0x3d2fe22f) 23542300x800000000000000024158Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:25.097{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E6A583C6C196A26337E18FFB4B8CBFE,SHA256=A64628597C61ED8451A959D76D4536AD3CEC5E266C408DDE2C9B3BD67C65C1C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008340Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:25.087{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF5C58CAA09692C9B6A02CE1E5793073,SHA256=4B007EFBD07538AFE7B07AD547E5F60223C75F54AB8A04DA95065797C1E2378A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000008339Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:23.089{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49950-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000024161Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:24.720{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local62009-false10.0.1.12-8000- 23542300x800000000000000024160Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:26.112{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EC72963AC24BC723D8AC2F55F104068,SHA256=D87B7E9436066B38945E1BA9920248C6B1208C77B8BC0E42FB14CB43C377CFD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008341Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:26.087{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3363C68D87DBB46A5EF25C8770204190,SHA256=29E8685804F4BEBA5A02D5A8A7AFFEE1BC412BE0A14A4B7F98D5D6992742F3EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024162Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:27.128{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D9A52D22A015972FA87B90E05AA4289,SHA256=09FE67633AA97259EB579510990965199797178430CF6EEEA4046A6A03DF5FFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008342Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:27.087{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=633719DA6DD9CD2366F2844C63874748,SHA256=95F430AB26014984EF081353D27788593BDD84F03E3479A01E1E328D6835F238,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008343Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:28.103{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4962AD1AF9466FD5AA5B0228FAD3AB6,SHA256=D1B469053F2F652FB3DD01776C14FADA48C90327B378359920AFB4BC0A187E54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024163Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:28.191{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7E3705B09BB5B1734E930934B28364F,SHA256=8C0D13CB0E33AA3587B54A37322A58487C987D866F3B3ACE831CB48E73942CFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008344Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:29.103{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3FB0090139F465896F461BDCB1256A1,SHA256=253A3D4F235B94057637C4B5E62546F190C77C4547BE2D931B8BE477D00FD863,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024164Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:29.191{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1796B54014442D25E826582229BC860C,SHA256=5EC0EF24E4B7B933FE0F1B7DEDE9E92A0075CF52AAC1B7E0D721C0C3809BCFE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008345Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:30.322{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74C5099F3379E8A5BFE933F5B944AFAA,SHA256=5D8626217A89B509F61F41906CDD0E5CE0266C61CF5A3F2B083B183E6114C239,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024172Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:30.753{6EDEAD03-FF62-615B-F802-00000000FB01}50525760C:\Windows\Explorer.EXE{6EDEAD03-0272-615C-3205-00000000FB01}5632C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024171Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:30.753{6EDEAD03-FF62-615B-F802-00000000FB01}50525760C:\Windows\Explorer.EXE{6EDEAD03-0272-615C-3205-00000000FB01}5632C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024170Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:30.753{6EDEAD03-FF62-615B-F802-00000000FB01}50525760C:\Windows\Explorer.EXE{6EDEAD03-0272-615C-3205-00000000FB01}5632C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024169Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:30.738{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-0272-615C-3205-00000000FB01}5632C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024168Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:30.738{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-0272-615C-3205-00000000FB01}5632C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024167Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:30.738{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-0272-615C-3205-00000000FB01}5632C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024166Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:30.738{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-0272-615C-3205-00000000FB01}5632C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000024165Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:30.238{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8C9C54061BF4980F5D9ADD85105833A,SHA256=785314CEC708F39EC37A63A536ACFED984B6CEFA2F89146E4D13F5EF03599C1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008347Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:31.540{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3731A219EE46C78BD545108ED213439,SHA256=357F82220A8E4390564F4885738D0B6A12E7680A8DB13CC0054C0E9A2142CEAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024173Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:31.394{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=504C9CAFA1759690FA6544FF94425650,SHA256=5D28B485ABFF670B294F69953E291B82BF00AA6AE64BBCB2FE1CEB57DAB8F424,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000008346Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:29.120{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49951-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000008349Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:32.759{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59569430FA0FBB52343123644F08E78E,SHA256=BE9A66FEC10F568B20D6AED23DC9B834D921A66EF8B048186C6AE1436F3F925A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024175Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:30.736{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local62010-false10.0.1.12-8000- 23542300x800000000000000024174Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:32.409{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D36F4DE8EC4579804B3A5B7D92BE5711,SHA256=7D195558AD30D0D69EB94CB84BFC097B2ED176DC80468B78853B94091FE57681,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008348Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:32.212{49C67628-FDEB-615B-1100-00000000FC01}964NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=09067D7E22730E17A45234B00486ACC6,SHA256=92E14F98B4C5FBFF0DB77648D5821F627CF11E3567BF98631567674107406916,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008350Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:33.978{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2348BBB16CC8FC638E8897F635071CF5,SHA256=A8365F844CB64A75D5177F66E0E8FE9A3415228B5722B7242E02511D010E953E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024176Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:33.441{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B75CD495381F7D8B8F6BD13C958254C,SHA256=6F422DADE0EA9FDD49BEB155F0FB8BD381301B6C44372486B5788FF8B27F0F10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008354Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:34.994{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=462F2367DB853204AF12BDEC4E84BA1D,SHA256=FC68B252BC68DC5C7AF464FB8D443C68ADE8F545C978FD83F9A75F1AB1989055,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024177Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:34.441{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=157814A717BBECE1F3ADFC2BB632CC83,SHA256=F73631491B6195D157494F9F6EAC910FD68688A9A3CEA3BE335ABE63D7656263,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000008353Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:34.634{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-1300-00000000FC01}684C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008352Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:34.634{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-1300-00000000FC01}684C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008351Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:34.634{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-1300-00000000FC01}684C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000024178Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:35.519{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3FFAA3FCB0E5B993E21AEF22139B5BD,SHA256=7B3E6350C637C80576F84EB3A9AC7D1387D4F622FB77C760348A61DDC5104ECC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024179Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:36.534{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77BEDD21BB642D2FFB5F49E1F71F65F9,SHA256=EED74A4274FEA24BA2385A2F62DBFB5AF76052F821B0B6BDCAC43705A9EA257C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000008356Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:35.105{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49952-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000008355Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:36.119{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF9DEB05A2637812655D7F71272CA0FF,SHA256=17761CC29CA7C65407A067D0E1F995F1E87EA564719553CA2B88E1D7052DB37D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024181Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:35.829{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local62011-false10.0.1.12-8000- 23542300x800000000000000024180Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:37.597{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80F613BFCBBE70372784889A9FAC180D,SHA256=F23ED28B564035E4C4F0D7BAC4B9160013919077CB0EEAF554A81E571CF6AF93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008357Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:37.197{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEA60AEBCB866C1C4769D6B88DFD3EEC,SHA256=DE2845CA9BE8AC41410997BAE2F424CC3A6E3A0B5FF05185E983AF7BE728AC01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024183Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:38.851{6EDEAD03-FCBF-615B-AF00-00000000FB01}416NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=77A3FAE6E3D081057742F67BE17D48F0,SHA256=B45196262D41012541FDA928C2D6D89C531ACA10A8054FE8E2047913CDE27561,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024182Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:38.601{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D8290680F774D6D643C4FC434013CEB,SHA256=41A69C2AFE8E0EC47D6B2A40E47CCC8487245C2896D94F0E29405496EAAEE294,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008358Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:38.420{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC4F75F5BC7C50C3059998BCBD524EC6,SHA256=29C5E86D0474062FD1CD616FA2889383B6B8CC0B712CE09EDF02E712D39FF4BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008359Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:39.654{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE666890EDEA8769E2A7930E3C4490CA,SHA256=0ECC9F2BBDE05914264711D2EE08D05618BAC3FB8055C740D901E0548E44D363,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024184Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:39.648{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC8DC0E2DB76CF45452FC72ED1CF5183,SHA256=EA20534E08F31E9E0833EAB5108E5860E445D6FCDF0E236F51F7C842300F0B73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008360Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:40.810{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20DFBFD9A606B721CCDE24EF5D408873,SHA256=96D106C85562825D09702C6CDB909C983A39970684E3B6D3BC28B190EE974522,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024194Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:38.458{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local62012-false10.0.1.12-8089- 23542300x800000000000000024193Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:40.663{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3033CE4DF314F00AF0B144A2BBEBE7A5,SHA256=F77EFD396C41BB62BDC7A2D1F372D6E022AAC8FDD797E24EFDF38E179AE03E1F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024192Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:40.351{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-031C-615C-4905-00000000FB01}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024191Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:40.351{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024190Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:40.351{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024189Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:40.351{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024188Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:40.351{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024187Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:40.351{6EDEAD03-FC1A-615B-0500-00000000FB01}412528C:\Windows\system32\csrss.exe{6EDEAD03-031C-615C-4905-00000000FB01}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000024186Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:40.351{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-031C-615C-4905-00000000FB01}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000024185Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:40.351{6EDEAD03-031C-615C-4905-00000000FB01}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000008361Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:41.951{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E79D1894B247E9C2EFE1B132A837B0DB,SHA256=0A4D2C68F97799BED8883C070B1D0E87CEED327DE4FB586CDC9DF578ADA03F5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024214Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:41.679{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=584A7AA8E0B7E020FFDE05CCA7AE9872,SHA256=136A500F7599462898CB7213BFF5D3197144DD70F24B60DBA47C3790652C596F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024213Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:41.523{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-031D-615C-4B05-00000000FB01}5840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024212Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:41.523{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024211Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:41.523{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024210Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:41.523{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024209Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:41.523{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024208Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:41.523{6EDEAD03-FC1A-615B-0500-00000000FB01}4122304C:\Windows\system32\csrss.exe{6EDEAD03-031D-615C-4B05-00000000FB01}5840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000024207Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:41.523{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-031D-615C-4B05-00000000FB01}5840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000024206Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:41.528{6EDEAD03-031D-615C-4B05-00000000FB01}5840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000024205Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:41.382{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=34D966E2FD3110CBE17B85C3F93386C7,SHA256=BD90DC0764D1F575A0A8ACF1C20EACF6E4BFF887CFF403B5D11BB82335F904EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024204Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:41.382{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=40442DD8F757DECE3E08AF0473181A35,SHA256=2585D3C37556D7157CC8E4087073F56AE2B267E5D728BFFA74088FB2C587A03D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024203Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:41.241{6EDEAD03-031D-615C-4A05-00000000FB01}67002324C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024202Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:41.023{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-031D-615C-4A05-00000000FB01}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024201Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:41.023{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024200Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:41.023{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024199Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:41.023{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024198Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:41.023{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024197Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:41.023{6EDEAD03-FC1A-615B-0500-00000000FB01}412428C:\Windows\system32\csrss.exe{6EDEAD03-031D-615C-4A05-00000000FB01}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000024196Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:41.023{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-031D-615C-4A05-00000000FB01}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000024195Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:41.023{6EDEAD03-031D-615C-4A05-00000000FB01}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000024225Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:42.741{6EDEAD03-031E-615C-4C05-00000000FB01}32004228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000024224Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:42.679{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4B81BD962FD116ACE36DCBC0B8909A2,SHA256=4D7500061E9F64AF62CCDA6CA3E36F7CD19A5791E305176B11E8D4FA0D6FFE74,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000008372Microsoft-Windows-Sysmon/Operationalwin-host-340-SetValue2021-10-05 07:47:42.810{49C67628-FDEB-615B-0B00-00000000FC01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000008371Microsoft-Windows-Sysmon/Operationalwin-host-340-SetValue2021-10-05 07:47:42.810{49C67628-FDEB-615B-0B00-00000000FC01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00145d22) 13241300x80000000000000008370Microsoft-Windows-Sysmon/Operationalwin-host-340-SetValue2021-10-05 07:47:42.810{49C67628-FDEB-615B-0B00-00000000FC01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b9b4-0xe51463a4) 13241300x80000000000000008369Microsoft-Windows-Sysmon/Operationalwin-host-340-SetValue2021-10-05 07:47:42.810{49C67628-FDEB-615B-0B00-00000000FC01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b9bd-0x46d8cba4) 13241300x80000000000000008368Microsoft-Windows-Sysmon/Operationalwin-host-340-SetValue2021-10-05 07:47:42.810{49C67628-FDEB-615B-0B00-00000000FC01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b9c5-0xa89d33a4) 13241300x80000000000000008367Microsoft-Windows-Sysmon/Operationalwin-host-340-SetValue2021-10-05 07:47:42.810{49C67628-FDEB-615B-0B00-00000000FC01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000008366Microsoft-Windows-Sysmon/Operationalwin-host-340-SetValue2021-10-05 07:47:42.810{49C67628-FDEB-615B-0B00-00000000FC01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00145d22) 13241300x80000000000000008365Microsoft-Windows-Sysmon/Operationalwin-host-340-SetValue2021-10-05 07:47:42.810{49C67628-FDEB-615B-0B00-00000000FC01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b9b4-0xe51463a4) 13241300x80000000000000008364Microsoft-Windows-Sysmon/Operationalwin-host-340-SetValue2021-10-05 07:47:42.810{49C67628-FDEB-615B-0B00-00000000FC01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b9bd-0x46d8cba4) 13241300x80000000000000008363Microsoft-Windows-Sysmon/Operationalwin-host-340-SetValue2021-10-05 07:47:42.810{49C67628-FDEB-615B-0B00-00000000FC01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b9c5-0xa89d33a4) 354300x80000000000000008362Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:40.125{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49953-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000024223Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:42.569{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-031E-615C-4C05-00000000FB01}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024222Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:42.569{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024221Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:42.569{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024220Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:42.569{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024219Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:42.569{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024218Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:42.569{6EDEAD03-FC1A-615B-0500-00000000FB01}412528C:\Windows\system32\csrss.exe{6EDEAD03-031E-615C-4C05-00000000FB01}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000024217Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:42.569{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-031E-615C-4C05-00000000FB01}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000024216Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:42.570{6EDEAD03-031E-615C-4C05-00000000FB01}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000024215Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:42.523{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=34D966E2FD3110CBE17B85C3F93386C7,SHA256=BD90DC0764D1F575A0A8ACF1C20EACF6E4BFF887CFF403B5D11BB82335F904EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024244Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:43.913{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-031F-615C-4E05-00000000FB01}6648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024243Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:43.913{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024242Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:43.913{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024241Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:43.913{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024240Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:43.913{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024239Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:43.913{6EDEAD03-FC1A-615B-0500-00000000FB01}412528C:\Windows\system32\csrss.exe{6EDEAD03-031F-615C-4E05-00000000FB01}6648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000024238Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:43.913{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-031F-615C-4E05-00000000FB01}6648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000024237Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:43.914{6EDEAD03-031F-615C-4E05-00000000FB01}6648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000024236Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:43.679{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4493F7FCCEF743B67A5C4CAA8338CBD1,SHA256=F5C1332255095569F3102AC5B5A064C0092EA814614847E7AA577B54C2218917,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008374Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:43.170{49C67628-FE68-615B-9F00-00000000FC01}1772NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=77A3FAE6E3D081057742F67BE17D48F0,SHA256=B45196262D41012541FDA928C2D6D89C531ACA10A8054FE8E2047913CDE27561,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008373Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:42.998{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA0F6DA7BB398246132AD88D59D8E0EB,SHA256=18E57EDAE9447810CD9F9A7426C272A087BFD87249F70CF369BBA3C5C4FD5AFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024235Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:43.663{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ACDA0BE5F65661FCF39EBF33AC90A5D6,SHA256=1CCAC833B6DC8BE077474DA93382FA48173F9D9727148692AF810CAF303D4C4B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024234Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:43.445{6EDEAD03-031F-615C-4D05-00000000FB01}66807100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024233Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:43.241{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-031F-615C-4D05-00000000FB01}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024232Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:43.241{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024231Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:43.241{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024230Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:43.241{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024229Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:43.241{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024228Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:43.241{6EDEAD03-FC1A-615B-0500-00000000FB01}412428C:\Windows\system32\csrss.exe{6EDEAD03-031F-615C-4D05-00000000FB01}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000024227Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:43.241{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-031F-615C-4D05-00000000FB01}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000024226Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:43.242{6EDEAD03-031F-615C-4D05-00000000FB01}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000024255Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:44.695{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B69A03DA550CFBA41D4611945C92315,SHA256=07976E4D761867D581B32E4E5862D506A9D2140921E5D82D4D94DB4136892150,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000008389Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:44.795{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-0320-615C-7101-00000000FC01}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008388Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:44.795{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008387Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:44.795{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008386Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:44.795{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008385Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:44.795{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008384Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:44.795{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008383Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:44.795{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008382Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:44.795{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008381Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:44.795{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008380Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:44.795{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008379Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:44.795{49C67628-FDEB-615B-0500-00000000FC01}416532C:\Windows\system32\csrss.exe{49C67628-0320-615C-7101-00000000FC01}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000008378Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:44.795{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-0320-615C-7101-00000000FC01}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000008377Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:44.795{49C67628-0320-615C-7101-00000000FC01}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000008376Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:43.187{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49954-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000008375Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:44.123{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62D0D243EACA42DBE2DA8CC26206E980,SHA256=875CB432E16EE5FDD7732C24C73BC264C1B2A83D6366BB3489DECFA26616AD5E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024254Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:44.585{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-0320-615C-4F05-00000000FB01}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024253Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:44.585{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024252Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:44.585{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024251Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:44.585{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024250Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:44.585{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024249Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:44.585{6EDEAD03-FC1A-615B-0500-00000000FB01}412428C:\Windows\system32\csrss.exe{6EDEAD03-0320-615C-4F05-00000000FB01}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000024248Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:44.585{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-0320-615C-4F05-00000000FB01}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000024247Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:44.586{6EDEAD03-0320-615C-4F05-00000000FB01}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000024246Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:44.101{6EDEAD03-031F-615C-4E05-00000000FB01}66486496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000024245Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:41.818{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local62013-false10.0.1.12-8000- 23542300x800000000000000024257Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:45.710{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=939749D9C4CB9DBCD1F1BD5D549D8DE5,SHA256=42777EB43FAE5D31E974B09AAF5CE14FF49A1D4EF8F72FAE2F60194A569CD9D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000008419Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:45.857{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-0321-615C-7301-00000000FC01}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008418Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:45.857{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008417Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:45.857{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008416Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:45.857{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008415Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:45.857{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008414Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:45.857{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008413Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:45.857{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008412Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:45.857{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008411Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:45.857{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008410Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:45.857{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008409Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:45.857{49C67628-FDEB-615B-0500-00000000FC01}4161032C:\Windows\system32\csrss.exe{49C67628-0321-615C-7301-00000000FC01}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000008408Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:45.857{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-0321-615C-7301-00000000FC01}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000008407Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:45.858{49C67628-0321-615C-7301-00000000FC01}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000008406Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:45.810{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B28D6CCD9F58A31661FDD1448B3F4CAB,SHA256=47EC00505721409A74FF110DE714DF3768A81CA5234167DB5F3CF975062C1002,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008405Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:45.810{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5463566C4F437CD7F37B2FAA08E52C0C,SHA256=91E2FA15D5F8529853F0B3084E8421F58AAB0CA4DAE8168C5CCC9345D60EF633,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000008404Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:45.435{49C67628-0321-615C-7201-00000000FC01}34522944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008403Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:45.295{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-0321-615C-7201-00000000FC01}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008402Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:45.295{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008401Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:45.295{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008400Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:45.295{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008399Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:45.295{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008398Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:45.295{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008397Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:45.295{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008396Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:45.295{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008395Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:45.295{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008394Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:45.295{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008393Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:45.295{49C67628-FDEB-615B-0500-00000000FC01}416432C:\Windows\system32\csrss.exe{49C67628-0321-615C-7201-00000000FC01}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000008392Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:45.295{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-0321-615C-7201-00000000FC01}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000008391Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:45.296{49C67628-0321-615C-7201-00000000FC01}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000008390Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:45.138{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=043C7FC70BDB334827BA97080A66D64F,SHA256=2C426C6383235D3B4716888671AB28E2D0A1EE641AA40A2BE7244384B2C20A14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024256Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:45.085{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=53981D2E81FAC1C18E2473D5CBC513E2,SHA256=1882A416502A7FEF9C9D09A7807B3364C858054FD0C9A1D912AF9A3FC9C01EE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024258Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:46.710{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E71E7A41BAF6959BB7FB288CB1DC6A6E,SHA256=6188540290180F0F644BE1B69FCC3C0775AFA755AFE9AF004991C9CABEB47824,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008421Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:46.857{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B28D6CCD9F58A31661FDD1448B3F4CAB,SHA256=47EC00505721409A74FF110DE714DF3768A81CA5234167DB5F3CF975062C1002,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008420Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:46.216{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3865FC8F663617822E19344B6964A0F8,SHA256=10825DD9C1D90DE3A453D5B24BF4A577531B949CD3C983F86A212CB21194CD14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024259Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:47.711{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C90038E4D29CB513A6E4249179B27122,SHA256=5DD0A922794649637DFF99EA47087A79FF587F0265ACF372A584DEF661CF595B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000008437Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:45.187{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49955-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000008436Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:47.310{49C67628-0323-615C-7401-00000000FC01}37963400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000008435Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:47.216{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E053351B68020448E46287C85879A7E,SHA256=C390D062C1F20B6FB8F4983D2F5DB8C75C099296E915952CEED63F1610F5ACB4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000008434Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:47.092{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-0323-615C-7401-00000000FC01}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008433Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:47.092{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008432Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:47.092{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008431Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:47.092{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008430Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:47.092{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008429Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:47.092{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008428Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:47.092{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008427Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:47.092{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008426Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:47.092{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008425Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:47.092{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008424Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:47.092{49C67628-FDEB-615B-0500-00000000FC01}416532C:\Windows\system32\csrss.exe{49C67628-0323-615C-7401-00000000FC01}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000008423Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:47.092{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-0323-615C-7401-00000000FC01}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000008422Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:47.092{49C67628-0323-615C-7401-00000000FC01}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000024269Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:48.712{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33C723B4740C26FA9AD949F8562EE354,SHA256=136BFDAA73A464E2C2962C254B9CF6F657DF254064E01A72E2B34192D4E37DAC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000008466Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:48.966{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-0324-615C-7601-00000000FC01}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008465Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:48.966{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008464Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:48.966{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008463Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:48.966{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008462Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:48.966{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008461Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:48.966{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008460Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:48.966{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008459Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:48.966{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008458Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:48.966{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008457Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:48.966{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008456Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:48.966{49C67628-FDEB-615B-0500-00000000FC01}416432C:\Windows\system32\csrss.exe{49C67628-0324-615C-7601-00000000FC01}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000008455Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:48.966{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-0324-615C-7601-00000000FC01}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000008454Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:48.967{49C67628-0324-615C-7601-00000000FC01}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000008453Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:48.435{49C67628-0324-615C-7501-00000000FC01}18003208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000008452Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:48.357{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1ACB6E20DE9ACBB0D8E7F1FCAA18C9AC,SHA256=59782C86C7A15783E7B061878A4777414F135D2DD1BB69F91B4DD567697D57C7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024268Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:48.149{6EDEAD03-FC1B-615B-0B00-00000000FB01}636804C:\Windows\system32\lsass.exe{6EDEAD03-FC18-615B-0100-00000000FB01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x800000000000000024267Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:48.044{6EDEAD03-FC2A-615B-3000-00000000FB01}2280NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00ade5b11017bd16f\channels\health\respondent-20211005071805-028MD5=AA6F78CCC35FD74424B933C975A9F779,SHA256=482DFC86E7C4A11E76E3E352EB64B396C84C083D9F57F37823883232EC55A225,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024266Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:48.024{6EDEAD03-FF62-615B-F802-00000000FB01}50525760C:\Windows\Explorer.EXE{6EDEAD03-011D-615C-0205-00000000FB01}5428C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024265Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:48.024{6EDEAD03-FF62-615B-F802-00000000FB01}50525760C:\Windows\Explorer.EXE{6EDEAD03-011D-615C-0205-00000000FB01}5428C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024264Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:48.024{6EDEAD03-FF62-615B-F802-00000000FB01}50525760C:\Windows\Explorer.EXE{6EDEAD03-011D-615C-0205-00000000FB01}5428C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024263Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:48.008{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-011D-615C-0305-00000000FB01}5740C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024262Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:48.008{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-011D-615C-0305-00000000FB01}5740C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024261Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:48.008{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-011D-615C-0305-00000000FB01}5740C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024260Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:48.008{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-011D-615C-0305-00000000FB01}5740C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008451Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:48.295{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-0324-615C-7501-00000000FC01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008450Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:48.295{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008449Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:48.295{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008448Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:48.295{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008447Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:48.295{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008446Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:48.295{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008445Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:48.295{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008444Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:48.295{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008443Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:48.295{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008442Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:48.295{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008441Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:48.295{49C67628-FDEB-615B-0500-00000000FC01}416432C:\Windows\system32\csrss.exe{49C67628-0324-615C-7501-00000000FC01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000008440Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:48.295{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-0324-615C-7501-00000000FC01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000008439Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:48.295{49C67628-0324-615C-7501-00000000FC01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000008438Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:48.232{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=95ED4F8A1003069214B3565DF79F775B,SHA256=5B9F07B0DC86898C551A7C90EDA648AA4F50C2B4ED404C897EF296E2A2568A42,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024274Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:47.758{6EDEAD03-FC18-615B-0100-00000000FB01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local62014-truefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local445microsoft-ds 354300x800000000000000024273Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:47.758{6EDEAD03-FC18-615B-0100-00000000FB01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local62014-truefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local445microsoft-ds 23542300x800000000000000024272Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:49.714{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F86FFEC503B343C6477A44D343004D99,SHA256=6305A522E6710EC84607DFEF07858BCE4C96C8038B8F4E8D8B06CBE634950A31,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000008482Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:49.638{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-0325-615C-7701-00000000FC01}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008481Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:49.638{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008480Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:49.638{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008479Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:49.638{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008478Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:49.638{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008477Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:49.638{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008476Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:49.638{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008475Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:49.638{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008474Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:49.638{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008473Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:49.638{49C67628-FDEB-615B-0C00-00000000FC01}728760C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008472Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:49.638{49C67628-FDEB-615B-0500-00000000FC01}416532C:\Windows\system32\csrss.exe{49C67628-0325-615C-7701-00000000FC01}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000008471Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:49.638{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-0325-615C-7701-00000000FC01}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000008470Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:49.640{49C67628-0325-615C-7701-00000000FC01}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000008469Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:49.591{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=838A89ED1597C8940277956A3A83A782,SHA256=8A2F73D22584129AF599142977D4A2E088AEC237D0F8C589259ADC15F4EEC655,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024271Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:49.164{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=13A0AC1F59732C36671CE6BF38132C02,SHA256=A6A4828DFFB556A3F12F7B269F8F6808EABFFA103F289ED597FB2C801CB9D567,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024270Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:49.040{6EDEAD03-FC2A-615B-3000-00000000FB01}2280NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00ade5b11017bd16f\channels\health\surveyor-20211005071802-029MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008468Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:49.310{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2BFCCB445DDD66CCF49D1F858D497FD6,SHA256=2A1A7D89C30049E879562ABFA9F8116FD053E37BF7A7D60E77EA4C394F451D36,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000008467Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:49.154{49C67628-0324-615C-7601-00000000FC01}34242840C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000024290Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:50.714{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F09234AE59265FA9CBCAE400F12110E,SHA256=89851EA9403C08BE28658E02B750D566E18364FA288AD0F08DEF33C959D621BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008484Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:50.857{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ECCCA56BD8ADF331797B74C1DF02CDC4,SHA256=75B1685B4F328DC1F48ABAC53B43F4C62C42D4A67EDA8E7D0A5332CFB395C085,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008483Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:50.638{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1436069FAE789AA6CED22E56DD1913C7,SHA256=8DCEDE61AED1F2B4F664F5B70D3D37111D1F177B091B92127B6C80326F582B01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024289Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:50.433{6EDEAD03-FC1D-615B-1200-00000000FB01}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=69A5FAEDC56FBBAD441EC2A0E9B8BF83,SHA256=B75912274A2D7F424497232A7B1B9CC5A41BFE8F05F54DD184CC56C177568840,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024288Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:50.214{6EDEAD03-FC1D-615B-1600-00000000FB01}12885612C:\Windows\System32\svchost.exe{6EDEAD03-FC2A-615B-2D00-00000000FB01}1000C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024287Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:50.214{6EDEAD03-FC1D-615B-1600-00000000FB01}12885612C:\Windows\System32\svchost.exe{6EDEAD03-FC2A-615B-2D00-00000000FB01}1000C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000024286Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:47:50.183{6EDEAD03-FC1D-615B-1200-00000000FB01}616C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{12612be9-6044-47c0-97f0-8c78ab4b3889}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x800000000000000024285Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:47:50.183{6EDEAD03-FC1D-615B-1200-00000000FB01}616C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{12612be9-6044-47c0-97f0-8c78ab4b3889}\IsServerNapAwareDWORD (0x00000000) 13241300x800000000000000024284Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:47:50.183{6EDEAD03-FC1D-615B-1200-00000000FB01}616C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{12612be9-6044-47c0-97f0-8c78ab4b3889}\AddressTypeDWORD (0x00000000) 13241300x800000000000000024283Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:47:50.183{6EDEAD03-FC1D-615B-1200-00000000FB01}616C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{12612be9-6044-47c0-97f0-8c78ab4b3889}\LeaseTerminatesTimeDWORD (0x615c1136) 13241300x800000000000000024282Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:47:50.183{6EDEAD03-FC1D-615B-1200-00000000FB01}616C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{12612be9-6044-47c0-97f0-8c78ab4b3889}\T2DWORD (0x615c0f74) 13241300x800000000000000024281Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:47:50.183{6EDEAD03-FC1D-615B-1200-00000000FB01}616C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{12612be9-6044-47c0-97f0-8c78ab4b3889}\T1DWORD (0x615c0a2e) 13241300x800000000000000024280Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:47:50.183{6EDEAD03-FC1D-615B-1200-00000000FB01}616C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{12612be9-6044-47c0-97f0-8c78ab4b3889}\LeaseObtainedTimeDWORD (0x615c0326) 13241300x800000000000000024279Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:47:50.183{6EDEAD03-FC1D-615B-1200-00000000FB01}616C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{12612be9-6044-47c0-97f0-8c78ab4b3889}\LeaseDWORD (0x00000e10) 13241300x800000000000000024278Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:47:50.183{6EDEAD03-FC1D-615B-1200-00000000FB01}616C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{12612be9-6044-47c0-97f0-8c78ab4b3889}\DhcpServer10.0.1.1 13241300x800000000000000024277Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:47:50.183{6EDEAD03-FC1D-615B-1200-00000000FB01}616C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{12612be9-6044-47c0-97f0-8c78ab4b3889}\DhcpSubnetMask255.255.255.0 13241300x800000000000000024276Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:47:50.183{6EDEAD03-FC1D-615B-1200-00000000FB01}616C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{12612be9-6044-47c0-97f0-8c78ab4b3889}\DhcpIPAddress10.0.1.14 13241300x800000000000000024275Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:47:50.183{6EDEAD03-FC1D-615B-1200-00000000FB01}616C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{12612be9-6044-47c0-97f0-8c78ab4b3889}\DhcpInterfaceOptionsBinary Data 23542300x80000000000000008485Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:51.732{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E61E82B1F3A18B39A9D56FED8A709C3,SHA256=D97C47BC41A1EC868F4F70BA153E6763E782277A561BCE0C2D0FD235C2F6179E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024326Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:51.823{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC1D-615B-1600-00000000FB01}1288C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024325Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:51.823{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC1D-615B-1600-00000000FB01}1288C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024324Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:51.823{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC1D-615B-1600-00000000FB01}1288C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024323Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:51.823{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC1D-615B-1600-00000000FB01}1288C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024322Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:51.823{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC1D-615B-1600-00000000FB01}1288C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024321Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:51.823{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC1D-615B-1600-00000000FB01}1288C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024320Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:51.823{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC1D-615B-1600-00000000FB01}1288C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024319Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:51.823{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC1D-615B-1600-00000000FB01}1288C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024318Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:51.823{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC1D-615B-1600-00000000FB01}1288C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024317Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:51.823{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC1D-615B-1600-00000000FB01}1288C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024316Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:51.823{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC1D-615B-1600-00000000FB01}1288C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024315Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:51.823{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC1D-615B-1600-00000000FB01}1288C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000024314Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:51.714{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=673786AB8B92AFD22B7B61985883CE84,SHA256=12FE23910D98F43276D22C7CDCA26CA49B8D3D519925CA13DEB641B0EA848F47,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000024313Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:47:51.526{6EDEAD03-FC1D-615B-1500-00000000FB01}1240C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch\EpochDWORD (0x000007a8) 10341000x800000000000000024312Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:51.323{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000024311Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:47:51.308{6EDEAD03-FC1D-615B-1600-00000000FB01}1288C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\iphlpsvc\Parameters\ADHarvest\LastFetchDomainATTACKRANGE 13241300x800000000000000024310Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:47:51.308{6EDEAD03-FC1D-615B-1600-00000000FB01}1288C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\iphlpsvc\Parameters\ADHarvest\LastSuccessfulADS&SFetchBinary Data 13241300x800000000000000024309Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:47:51.308{6EDEAD03-FC1D-615B-1600-00000000FB01}1288C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\iphlpsvc\Parameters\ADHarvest\LastFetchContents* 13241300x800000000000000024308Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:47:51.308{6EDEAD03-FC1D-615B-1300-00000000FB01}1032C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Dnscache\Parameters\Probe\{dc5f23d3-fd73-4586-944e-cc9781a4e3df}\NetworkPerformsHijackingDWORD (0x00000000) 13241300x800000000000000024307Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:47:51.308{6EDEAD03-FC1D-615B-1300-00000000FB01}1032C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Dnscache\Parameters\Probe\{dc5f23d3-fd73-4586-944e-cc9781a4e3df}\LastProbeTimeDWORD (0x615c0327) 13241300x800000000000000024306Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:47:51.308{6EDEAD03-FC1D-615B-1100-00000000FB01}480C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{DC5F23D3-FD73-4586-944E-CC9781A4E3DF}\DateLastConnectedBinary Data 13241300x800000000000000024305Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:47:51.308{6EDEAD03-FC1D-615B-1100-00000000FB01}480C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{DC5F23D3-FD73-4586-944E-CC9781A4E3DF}\NameTypeDWORD (0x00000006) 13241300x800000000000000024304Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:47:51.308{6EDEAD03-FC1D-615B-1100-00000000FB01}480C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{DC5F23D3-FD73-4586-944E-CC9781A4E3DF}\DateCreatedBinary Data 13241300x800000000000000024303Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:47:51.308{6EDEAD03-FC1D-615B-1100-00000000FB01}480C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{DC5F23D3-FD73-4586-944E-CC9781A4E3DF}\CategoryDWORD (0x00000002) 13241300x800000000000000024302Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:47:51.308{6EDEAD03-FC1D-615B-1100-00000000FB01}480C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{DC5F23D3-FD73-4586-944E-CC9781A4E3DF}\ManagedDWORD (0x00000001) 13241300x800000000000000024301Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:47:51.308{6EDEAD03-FC1D-615B-1100-00000000FB01}480C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{DC5F23D3-FD73-4586-944E-CC9781A4E3DF}\Descriptionattackrange.local 13241300x800000000000000024300Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:47:51.308{6EDEAD03-FC1D-615B-1100-00000000FB01}480C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{DC5F23D3-FD73-4586-944E-CC9781A4E3DF}\ProfileNameattackrange.local 354300x800000000000000024299Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:47.804{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local62015-false10.0.1.12-8000- 10341000x800000000000000024298Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:51.073{6EDEAD03-011D-615C-0305-00000000FB01}57405284C:\Windows\system32\conhost.exe{6EDEAD03-0327-615C-5005-00000000FB01}5584C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024297Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:51.058{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024296Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:51.058{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024295Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:51.058{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024294Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:51.058{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024293Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:51.058{6EDEAD03-FF5F-615B-E202-00000000FB01}9724272C:\Windows\system32\csrss.exe{6EDEAD03-0327-615C-5005-00000000FB01}5584C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000024292Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:51.058{6EDEAD03-011D-615C-0205-00000000FB01}54284716C:\Windows\system32\cmd.exe{6EDEAD03-0327-615C-5005-00000000FB01}5584C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000024291Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:51.071{6EDEAD03-0327-615C-5005-00000000FB01}5584C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg query HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigestC:\Users\Administrator\ATTACKRANGE\Administrator{6EDEAD03-FF61-615B-7756-1D0000000000}0x1d56772HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{6EDEAD03-011D-615C-0205-00000000FB01}5428C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 23542300x80000000000000008486Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:52.748{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C91DC52A60049A0B7CA8B48E71B706A,SHA256=C5E1A690FD875B2559D1AD663B3ABAC26A457190A706B59CC2383F9BCC37B4A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024348Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:52.823{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2300519067E72905C588E43C90E24DE5,SHA256=659226E6BCD02E0492378E319AF0E22493B4395D5EDCF38E53D13455C0B78207,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024347Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:49.796{6EDEAD03-FC1D-615B-1300-00000000FB01}1032C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:5f45:5252:c840:3d9e:80e5:ffff-57670-truee000:fc:f85:fbf8:feff:833d:be4:bdff-5355llmnr 354300x800000000000000024346Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:49.795{6EDEAD03-FC1D-615B-1300-00000000FB01}1032C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local57670-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x800000000000000024345Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:49.790{6EDEAD03-FC1D-615B-1200-00000000FB01}616C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-676.attackrange.local68bootpcfalse10.0.1.1ip-10-0-1-1.eu-central-1.compute.internal67bootps 22542200x800000000000000024344Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:51.313{6EDEAD03-FC1D-615B-1600-00000000FB01}1288isatap.eu-central-1.compute.internal9003-C:\Windows\System32\svchost.exe 22542200x800000000000000024343Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:51.311{6EDEAD03-FC1D-615B-1300-00000000FB01}1032vwpgxmhvadkd1460-C:\Windows\System32\svchost.exe 22542200x800000000000000024342Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:51.207{6EDEAD03-FC1D-615B-1300-00000000FB01}1032win-dc-676.attackrange.local0fe80::b879:39b3:8bb9:e640;fe80::2c9d:2f3c:f5ff:fef1;2001:0:2851:782c:2c9d:2f3c:f5ff:fef1;::ffff:10.0.1.14;C:\Windows\System32\svchost.exe 13241300x800000000000000024341Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:47:52.214{6EDEAD03-FC1D-615B-1300-00000000FB01}1032C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{12612BE9-6044-47C0-97F0-8C78AB4B3889}\RegisteredSinceBootDWORD (0x00000001) 13241300x800000000000000024340Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:47:52.214{6EDEAD03-FC1D-615B-1300-00000000FB01}1032C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{12612BE9-6044-47C0-97F0-8C78AB4B3889}\StaleAdapterDWORD (0x00000000) 13241300x800000000000000024339Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:47:52.214{6EDEAD03-FC1D-615B-1300-00000000FB01}1032C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{12612BE9-6044-47C0-97F0-8C78AB4B3889}\CompartmentIdDWORD (0x00000001) 13241300x800000000000000024338Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:47:52.214{6EDEAD03-FC1D-615B-1300-00000000FB01}1032C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{12612BE9-6044-47C0-97F0-8C78AB4B3889}\FlagsDWORD (0x00000002) 13241300x800000000000000024337Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:47:52.214{6EDEAD03-FC1D-615B-1300-00000000FB01}1032C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{12612BE9-6044-47C0-97F0-8C78AB4B3889}\TtlDWORD (0x000004b0) 13241300x800000000000000024336Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:47:52.214{6EDEAD03-FC1D-615B-1300-00000000FB01}1032C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{12612BE9-6044-47C0-97F0-8C78AB4B3889}\SentPriUpdateToIpBinary Data 13241300x800000000000000024335Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:47:52.214{6EDEAD03-FC1D-615B-1300-00000000FB01}1032C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{12612BE9-6044-47C0-97F0-8C78AB4B3889}\SentUpdateToIpBinary Data 13241300x800000000000000024334Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:47:52.214{6EDEAD03-FC1D-615B-1300-00000000FB01}1032C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{12612BE9-6044-47C0-97F0-8C78AB4B3889}\DnsServersBinary Data 13241300x800000000000000024333Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:47:52.214{6EDEAD03-FC1D-615B-1300-00000000FB01}1032C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{12612BE9-6044-47C0-97F0-8C78AB4B3889}\HostAddrsBinary Data 13241300x800000000000000024332Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:47:52.214{6EDEAD03-FC1D-615B-1300-00000000FB01}1032C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{12612BE9-6044-47C0-97F0-8C78AB4B3889}\PrimaryDomainNameattackrange.local 13241300x800000000000000024331Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:47:52.214{6EDEAD03-FC1D-615B-1300-00000000FB01}1032C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{12612BE9-6044-47C0-97F0-8C78AB4B3889}\AdapterDomainName(Empty) 13241300x800000000000000024330Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:47:52.214{6EDEAD03-FC1D-615B-1300-00000000FB01}1032C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{12612BE9-6044-47C0-97F0-8C78AB4B3889}\Hostnamewin-dc-676 10341000x800000000000000024329Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:52.214{6EDEAD03-FC1B-615B-0B00-00000000FB01}636692C:\Windows\system32\lsass.exe{6EDEAD03-FC1D-615B-1300-00000000FB01}1032C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30485|C:\Windows\system32\lsasrv.dll+2e31b|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 13241300x800000000000000024328Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:47:52.214{6EDEAD03-FC1D-615B-1300-00000000FB01}1032C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{12612BE9-6044-47C0-97F0-8C78AB4B3889}\RegisteredSinceBootDWORD (0x00000001) 23542300x800000000000000024327Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:52.167{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=074664F4E5F1F6BF02212CEE4D11B998,SHA256=C1DDA100E7216A0D06ECDCBF33467BE730B9C00D4EF09397B8E3D651676E77F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008488Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:53.967{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0130C835885F4739CB251C03573D67CF,SHA256=EB008EB7C5C444A3F066B1AEDC829B3C760443D27706CF6B9A6B5FCC2FF2B619,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024358Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:53.823{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CFEEF9156345CE1C6D6A6963435EF80,SHA256=0A81F8618D8298071C3748D3E5BF004419EC4A9773D73B57640DA3D2D9FF713C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000008487Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:51.109{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49956-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000024357Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:51.431{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local65377- 354300x800000000000000024356Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:51.431{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local54716- 354300x800000000000000024355Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:50.923{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local64126- 354300x800000000000000024354Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:50.918{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local62017-true0:0:0:0:0:0:0:1win-dc-676.attackrange.local389ldap 354300x800000000000000024353Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:50.918{6EDEAD03-FC1D-615B-1600-00000000FB01}1288C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local62017-true0:0:0:0:0:0:0:1win-dc-676.attackrange.local389ldap 354300x800000000000000024352Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:50.918{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local65047- 354300x800000000000000024351Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:50.815{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-676.attackrange.local62016-false10.0.1.14win-dc-676.attackrange.local389ldap 354300x800000000000000024350Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:50.815{6EDEAD03-FC1D-615B-1300-00000000FB01}1032C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-676.attackrange.local62016-false10.0.1.14win-dc-676.attackrange.local389ldap 23542300x800000000000000024349Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:53.245{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7C3D80990C5545C7A46107EE7636DCBC,SHA256=8E7676BAF87EF2730E756998AD1E9C247529E3926A0067DB70F15A07654124B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024378Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:54.839{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BA7C73458C798FFFF19CF597B802588,SHA256=F5C649FC544CD3BD1CD4CAFC8E016D7EA0698C10D1E7B7C92CA32506893F2F13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024377Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:54.417{6EDEAD03-FC1B-615B-0B00-00000000FB01}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Windows\System32\config\netlogon.dnsMD5=13E888105837E5A9AC3144769297396A,SHA256=D8E9BA083F42CA73A2345BA1F5AC4F204795B4A5BFB653BFA01F6258E6083263,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024376Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:54.417{6EDEAD03-FC1B-615B-0B00-00000000FB01}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Windows\System32\config\netlogon.dnbMD5=4A321F4C72C0556C65DDC3703F1A97D3,SHA256=C544FDF6B9566B661AB6ECD1EBFFA37D72FECFC2254C9897CF549CC12CD7ECD5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024375Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:52.853{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local50195-false10.0.1.12-8000- 354300x800000000000000024374Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:51.836{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-676.attackrange.local53domainfalse10.0.1.14win-dc-676.attackrange.local60372- 354300x800000000000000024373Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:51.835{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-676.attackrange.local53domainfalse10.0.1.14win-dc-676.attackrange.local59465- 354300x800000000000000024372Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:51.834{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local54272- 354300x800000000000000024371Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:51.834{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local54505- 354300x800000000000000024370Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:51.829{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local50194-true0:0:0:0:0:0:0:1win-dc-676.attackrange.local389ldap 354300x800000000000000024369Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:51.829{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local50194-true0:0:0:0:0:0:0:1win-dc-676.attackrange.local389ldap 354300x800000000000000024368Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:51.827{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-676.attackrange.local50193-false10.0.1.14win-dc-676.attackrange.local53domain 354300x800000000000000024367Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:51.827{6EDEAD03-FC1D-615B-1300-00000000FB01}1032C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-676.attackrange.local50193-false10.0.1.14win-dc-676.attackrange.local53domain 354300x800000000000000024366Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:51.825{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-676.attackrange.local53domainfalse10.0.1.14win-dc-676.attackrange.local54496- 354300x800000000000000024365Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:51.825{6EDEAD03-FC1D-615B-1300-00000000FB01}1032C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruefalse10.0.1.14win-dc-676.attackrange.local54496-false10.0.1.14win-dc-676.attackrange.local53domain 354300x800000000000000024364Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:51.824{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local60609- 354300x800000000000000024363Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:51.775{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local64439- 13241300x800000000000000024362Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:47:54.323{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Netlogon\Private\IPV6SocketAddressListBinary Data 13241300x800000000000000024361Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:47:54.323{6EDEAD03-FC1D-615B-1600-00000000FB01}1288C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo\CollectionBinary Data 13241300x800000000000000024360Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:47:54.323{6EDEAD03-FC1D-615B-1600-00000000FB01}1288C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo\CollectionBinary Data 13241300x800000000000000024359Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:47:54.323{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Netlogon\Private\IPV6SocketAddressListBinary Data 23542300x800000000000000024413Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:55.995{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5A3AA6137AEADA349DECDBF5EFDEE86,SHA256=3F628FCB3117A2FCD199EEA6AD9857E65A83C37EE1F50977C0E71AEE1B1738CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008489Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:54.998{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6111FC458251F05C28791BE6045166A8,SHA256=1884CF955DE99F4510523E2AC812CF58B406215F35E412455A6C5E944C6D11D8,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000024412Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:47:55.870{6EDEAD03-FC1D-615B-1100-00000000FB01}480C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b9bd-0x4f282269) 354300x800000000000000024411Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:53.991{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-676.attackrange.local53domainfalse10.0.1.14win-dc-676.attackrange.local56656- 354300x800000000000000024410Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:53.991{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local58622- 354300x800000000000000024409Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:53.990{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-676.attackrange.local53domainfalse10.0.1.14win-dc-676.attackrange.local60078- 354300x800000000000000024408Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:53.989{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local65441- 354300x800000000000000024407Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:53.988{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-676.attackrange.local53domainfalse10.0.1.14win-dc-676.attackrange.local57121- 354300x800000000000000024406Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:53.987{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local55624- 354300x800000000000000024405Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:53.986{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-676.attackrange.local53domainfalse10.0.1.14win-dc-676.attackrange.local62336- 354300x800000000000000024404Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:53.986{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local64543- 354300x800000000000000024403Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:53.984{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-676.attackrange.local53domainfalse10.0.1.14win-dc-676.attackrange.local61055- 354300x800000000000000024402Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:53.983{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local63500- 354300x800000000000000024401Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:53.983{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local61519- 354300x800000000000000024400Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:53.982{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local57598- 354300x800000000000000024399Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:53.981{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-676.attackrange.local53domainfalse10.0.1.14win-dc-676.attackrange.local55964- 354300x800000000000000024398Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:53.980{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local55086- 354300x800000000000000024397Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:53.980{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local55009- 354300x800000000000000024396Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:53.979{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-676.attackrange.local53domainfalse10.0.1.14win-dc-676.attackrange.local57539- 354300x800000000000000024395Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:53.978{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local61351- 354300x800000000000000024394Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:53.971{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-676.attackrange.local53domainfalse10.0.1.14win-dc-676.attackrange.local61632- 354300x800000000000000024393Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:53.969{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-676.attackrange.local53domainfalse10.0.1.14win-dc-676.attackrange.local62889- 354300x800000000000000024392Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:53.968{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local57181- 354300x800000000000000024391Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:53.954{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-676.attackrange.local53domainfalse10.0.1.14win-dc-676.attackrange.local62424- 354300x800000000000000024390Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:53.953{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local58918- 354300x800000000000000024389Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:53.948{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local63940- 354300x800000000000000024388Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:53.940{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local49264-true0:0:0:0:0:0:0:1win-dc-676.attackrange.local49264- 354300x800000000000000024387Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:53.938{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local50197-truefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local49666- 354300x800000000000000024386Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:53.938{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local50197-truefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local49666- 354300x800000000000000024385Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:53.935{6EDEAD03-FC1D-615B-0D00-00000000FB01}908C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local50196-truefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local135epmap 354300x800000000000000024384Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:53.935{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local50196-truefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local135epmap 13241300x800000000000000024383Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:47:55.354{6EDEAD03-FC1D-615B-1500-00000000FB01}1240C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch2\EpochDWORD (0x00000431) 23542300x800000000000000024382Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:55.354{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=89FA69A82C1FBC829A02E612C6C1CD9C,SHA256=0E3D0CA68E9876703DC81E977EC0C7EE65907AF2A45A378CC628A47FD7DE9D23,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000024381Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:54.335{6EDEAD03-FC2A-615B-2600-00000000FB01}2780WIN-DC-6760fe80::b879:39b3:8bb9:e640;C:\Windows\System32\spoolsv.exe 23542300x800000000000000024380Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:55.323{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=25ADCCDCD9D9E6FBEAFC077BE4CE3063,SHA256=3FDE9DE91CF58AD3208C25CE9595E58F725E999D06C7BE53291639C5C7873048,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024379Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:55.323{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=3DD8921DE62A92553000A9151C1D18B2,SHA256=2CF5C17950CBDF650BB21D96C78CA976E55978FE55E85F5CCD5AD8363DD18583,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008490Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:56.201{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18E6FFDBC8B2229D53F16130E6D744D1,SHA256=A8A39565FFCA788289BA4159D90A7859504781CD4118B94774A3DB61EC67172E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024447Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:56.870{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=25ADCCDCD9D9E6FBEAFC077BE4CE3063,SHA256=3FDE9DE91CF58AD3208C25CE9595E58F725E999D06C7BE53291639C5C7873048,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024446Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:54.025{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-676.attackrange.local53domainfalse10.0.1.14win-dc-676.attackrange.local61675- 354300x800000000000000024445Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:54.024{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local63496- 354300x800000000000000024444Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:54.023{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-676.attackrange.local53domainfalse10.0.1.14win-dc-676.attackrange.local64728- 354300x800000000000000024443Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:54.022{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local63305- 354300x800000000000000024442Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:54.021{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-676.attackrange.local53domainfalse10.0.1.14win-dc-676.attackrange.local61138- 354300x800000000000000024441Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:54.021{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local57386- 354300x800000000000000024440Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:54.020{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-676.attackrange.local53domainfalse10.0.1.14win-dc-676.attackrange.local58224- 354300x800000000000000024439Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:54.016{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-676.attackrange.local53domainfalse10.0.1.14win-dc-676.attackrange.local64703- 354300x800000000000000024438Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:54.014{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-676.attackrange.local53domainfalse10.0.1.14win-dc-676.attackrange.local61909- 354300x800000000000000024437Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:54.014{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local62918- 354300x800000000000000024436Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:54.011{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-676.attackrange.local53domainfalse10.0.1.14win-dc-676.attackrange.local62398- 354300x800000000000000024435Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:54.010{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local55276- 354300x800000000000000024434Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:54.009{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-676.attackrange.local53domainfalse10.0.1.14win-dc-676.attackrange.local55751- 354300x800000000000000024433Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:54.008{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-676.attackrange.local53domainfalse10.0.1.14win-dc-676.attackrange.local59029- 354300x800000000000000024432Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:54.006{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-676.attackrange.local53domainfalse10.0.1.14win-dc-676.attackrange.local54328- 354300x800000000000000024431Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:54.004{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-676.attackrange.local53domainfalse10.0.1.14win-dc-676.attackrange.local61791- 354300x800000000000000024430Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:54.004{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local64281- 354300x800000000000000024429Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:54.003{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-676.attackrange.local53domainfalse10.0.1.14win-dc-676.attackrange.local62831- 354300x800000000000000024428Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:54.002{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local59001- 354300x800000000000000024427Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:53.999{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-676.attackrange.local53domainfalse10.0.1.14win-dc-676.attackrange.local61609- 354300x800000000000000024426Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:53.996{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-676.attackrange.local53domainfalse10.0.1.14win-dc-676.attackrange.local54802- 354300x800000000000000024425Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:53.996{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local57966- 354300x800000000000000024424Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:53.995{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-676.attackrange.local53domainfalse10.0.1.14win-dc-676.attackrange.local64798- 354300x800000000000000024423Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:53.993{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local59472- 13241300x800000000000000024422Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:47:56.151{6EDEAD03-032C-615C-5105-00000000FB01}108C:\Windows\system32\reg.exeHKLM\System\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredentialDWORD (0x00000001) 10341000x800000000000000024421Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:56.136{6EDEAD03-011D-615C-0305-00000000FB01}57405284C:\Windows\system32\conhost.exe{6EDEAD03-032C-615C-5105-00000000FB01}108C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024420Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:56.136{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024419Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:56.136{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024418Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:56.136{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024417Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:56.136{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024416Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:56.136{6EDEAD03-FF5F-615B-E202-00000000FB01}9723852C:\Windows\system32\csrss.exe{6EDEAD03-032C-615C-5105-00000000FB01}108C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000024415Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:56.136{6EDEAD03-011D-615C-0205-00000000FB01}54284716C:\Windows\system32\cmd.exe{6EDEAD03-032C-615C-5105-00000000FB01}108C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000024414Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:56.145{6EDEAD03-032C-615C-5105-00000000FB01}108C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /fC:\Users\Administrator\ATTACKRANGE\Administrator{6EDEAD03-FF61-615B-7756-1D0000000000}0x1d56772HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{6EDEAD03-011D-615C-0205-00000000FB01}5428C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 23542300x80000000000000008491Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:57.201{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72A2D0D61B74017BE8987139127E0A39,SHA256=DB462DB8F721C16AE80B4BB6C0A379418670E3C28B5BDE7390F850F0CAE3F5B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024463Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:55.463{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local63978- 13241300x800000000000000024462Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:47:57.354{6EDEAD03-FC1D-615B-1300-00000000FB01}1032C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{12612BE9-6044-47C0-97F0-8C78AB4B3889}\RegisteredSinceBootDWORD (0x00000001) 13241300x800000000000000024461Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:47:57.354{6EDEAD03-FC1D-615B-1300-00000000FB01}1032C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{12612BE9-6044-47C0-97F0-8C78AB4B3889}\StaleAdapterDWORD (0x00000000) 13241300x800000000000000024460Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:47:57.354{6EDEAD03-FC1D-615B-1300-00000000FB01}1032C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{12612BE9-6044-47C0-97F0-8C78AB4B3889}\CompartmentIdDWORD (0x00000001) 13241300x800000000000000024459Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:47:57.354{6EDEAD03-FC1D-615B-1300-00000000FB01}1032C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{12612BE9-6044-47C0-97F0-8C78AB4B3889}\FlagsDWORD (0x00000002) 13241300x800000000000000024458Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:47:57.354{6EDEAD03-FC1D-615B-1300-00000000FB01}1032C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{12612BE9-6044-47C0-97F0-8C78AB4B3889}\TtlDWORD (0x000004b0) 13241300x800000000000000024457Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:47:57.354{6EDEAD03-FC1D-615B-1300-00000000FB01}1032C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{12612BE9-6044-47C0-97F0-8C78AB4B3889}\SentPriUpdateToIpBinary Data 13241300x800000000000000024456Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:47:57.354{6EDEAD03-FC1D-615B-1300-00000000FB01}1032C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{12612BE9-6044-47C0-97F0-8C78AB4B3889}\SentUpdateToIpBinary Data 13241300x800000000000000024455Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:47:57.354{6EDEAD03-FC1D-615B-1300-00000000FB01}1032C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{12612BE9-6044-47C0-97F0-8C78AB4B3889}\DnsServersBinary Data 13241300x800000000000000024454Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:47:57.354{6EDEAD03-FC1D-615B-1300-00000000FB01}1032C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{12612BE9-6044-47C0-97F0-8C78AB4B3889}\HostAddrsBinary Data 13241300x800000000000000024453Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:47:57.354{6EDEAD03-FC1D-615B-1300-00000000FB01}1032C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{12612BE9-6044-47C0-97F0-8C78AB4B3889}\PrimaryDomainNameattackrange.local 13241300x800000000000000024452Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:47:57.354{6EDEAD03-FC1D-615B-1300-00000000FB01}1032C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{12612BE9-6044-47C0-97F0-8C78AB4B3889}\AdapterDomainName(Empty) 13241300x800000000000000024451Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:47:57.354{6EDEAD03-FC1D-615B-1300-00000000FB01}1032C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{12612BE9-6044-47C0-97F0-8C78AB4B3889}\Hostnamewin-dc-676 13241300x800000000000000024450Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:47:57.354{6EDEAD03-FC1D-615B-1300-00000000FB01}1032C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{12612BE9-6044-47C0-97F0-8C78AB4B3889}\RegisteredSinceBootDWORD (0x00000001) 23542300x800000000000000024449Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:57.167{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E3E067EE7A268F863A6325864098742,SHA256=5A357BEA997F4AE4A237D0E9C0FE81CB17BBEC216402477AA7C87A2E32A8AC09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024448Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:57.120{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF7E9CEC13D6B34465022B89369497B7,SHA256=7B82501067FA789FEC2FAB1FB0098710D8DFD5DC5AD35DE2256FEEE012DEF618,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008492Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:58.215{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=072F8720020ED1FCE3084299B2A9730B,SHA256=782769C529C4C704295BBF9074E08F3CE71EBB4A6B1A369053F82064468D54DF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024470Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:56.970{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local65100- 354300x800000000000000024469Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:56.970{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local54607- 354300x800000000000000024468Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:56.967{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local50198-true0:0:0:0:0:0:0:1win-dc-676.attackrange.local389ldap 354300x800000000000000024467Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:56.967{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local50198-true0:0:0:0:0:0:0:1win-dc-676.attackrange.local389ldap 354300x800000000000000024466Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:56.965{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-676.attackrange.local53domainfalse10.0.1.14win-dc-676.attackrange.local55441- 354300x800000000000000024465Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:56.964{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local54686- 23542300x800000000000000024464Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:58.208{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FBD467EADA00FC550E0777339A3B5D8,SHA256=45E56C84E2E42D9A2489A80C58AA8ABF2D0B28871A9DB4B86ABB4606DE8E610C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008494Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:59.230{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57647B7C63694CCB3C5848D9C3F4214E,SHA256=1A26480E3EF1851275DB7A651FFCD70EF8A13456B4D4E6CB290CB64E2C6F46E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024474Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:59.927{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5C3FC27238807B7BFECE9B039AA8863E,SHA256=DF2EF96447A81385B66B16A9292641F5E8413AF94C5F5C59E4264222F7244C06,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024473Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:56.971{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-676.attackrange.local53domainfalse10.0.1.14win-dc-676.attackrange.local56654- 354300x800000000000000024472Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:56.971{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local54639- 23542300x800000000000000024471Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:59.208{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=023D581FA3394F1D7724FF1BDB277E58,SHA256=3791DEE253F58E0FC4C511D0FD55EC5193E69D57732038FE0002009702E3A1E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000008493Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:47:57.125{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49957-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000008495Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:48:00.230{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B02D6F1AE223916143D37D0CC0A380F0,SHA256=79168E145D212184461534FEC77415153EFD5756624F1B800190AD5E5B0674DB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024489Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:58.660{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local50199-false10.0.1.12-8000- 13241300x800000000000000024488Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:48:00.365{6EDEAD03-FC1D-615B-1300-00000000FB01}1032C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{12612BE9-6044-47C0-97F0-8C78AB4B3889}\RegisteredSinceBootDWORD (0x00000001) 13241300x800000000000000024487Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:48:00.365{6EDEAD03-FC1D-615B-1300-00000000FB01}1032C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{12612BE9-6044-47C0-97F0-8C78AB4B3889}\StaleAdapterDWORD (0x00000000) 13241300x800000000000000024486Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:48:00.365{6EDEAD03-FC1D-615B-1300-00000000FB01}1032C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{12612BE9-6044-47C0-97F0-8C78AB4B3889}\CompartmentIdDWORD (0x00000001) 13241300x800000000000000024485Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:48:00.365{6EDEAD03-FC1D-615B-1300-00000000FB01}1032C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{12612BE9-6044-47C0-97F0-8C78AB4B3889}\FlagsDWORD (0x00000002) 13241300x800000000000000024484Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:48:00.365{6EDEAD03-FC1D-615B-1300-00000000FB01}1032C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{12612BE9-6044-47C0-97F0-8C78AB4B3889}\TtlDWORD (0x000004b0) 13241300x800000000000000024483Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:48:00.365{6EDEAD03-FC1D-615B-1300-00000000FB01}1032C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{12612BE9-6044-47C0-97F0-8C78AB4B3889}\SentPriUpdateToIpBinary Data 13241300x800000000000000024482Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:48:00.365{6EDEAD03-FC1D-615B-1300-00000000FB01}1032C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{12612BE9-6044-47C0-97F0-8C78AB4B3889}\SentUpdateToIpBinary Data 13241300x800000000000000024481Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:48:00.365{6EDEAD03-FC1D-615B-1300-00000000FB01}1032C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{12612BE9-6044-47C0-97F0-8C78AB4B3889}\DnsServersBinary Data 13241300x800000000000000024480Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:48:00.365{6EDEAD03-FC1D-615B-1300-00000000FB01}1032C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{12612BE9-6044-47C0-97F0-8C78AB4B3889}\HostAddrsBinary Data 13241300x800000000000000024479Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:48:00.365{6EDEAD03-FC1D-615B-1300-00000000FB01}1032C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{12612BE9-6044-47C0-97F0-8C78AB4B3889}\PrimaryDomainNameattackrange.local 13241300x800000000000000024478Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:48:00.365{6EDEAD03-FC1D-615B-1300-00000000FB01}1032C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{12612BE9-6044-47C0-97F0-8C78AB4B3889}\AdapterDomainName(Empty) 13241300x800000000000000024477Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:48:00.365{6EDEAD03-FC1D-615B-1300-00000000FB01}1032C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{12612BE9-6044-47C0-97F0-8C78AB4B3889}\Hostnamewin-dc-676 13241300x800000000000000024476Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:48:00.365{6EDEAD03-FC1D-615B-1300-00000000FB01}1032C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{12612BE9-6044-47C0-97F0-8C78AB4B3889}\RegisteredSinceBootDWORD (0x00000001) 23542300x800000000000000024475Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:00.240{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F0CADB579320642AD5AF662ABDEDBFB,SHA256=6C1F1F2227DD8E4513D62BE222136AB0E4AF19FB0B0985BDC165F8E469650195,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008496Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:48:01.465{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCE86BA5F2FA47077F9B86D91FDB4ACE,SHA256=782903A3C324697EA3355B6D046DF7C9A6CA8F7BDDBAC59D2D690AE6A27AE3FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024492Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:59.975{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-676.attackrange.local53domainfalse10.0.1.14win-dc-676.attackrange.local54618- 354300x800000000000000024491Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:47:59.974{6EDEAD03-FC2A-615B-2E00-00000000FB01}1160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local57546- 23542300x800000000000000024490Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:01.286{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=529B8435AF2609FE4024062C04B53A0C,SHA256=F716C371CD35EB4506FFE6B3972F52C73E0C5003DA3C7A640CE76CBA47323114,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008497Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:48:02.699{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D54A3B6632BE5C134A19A9639440E557,SHA256=D935CC93689FDC9B225BA04B69D700604F11FE7E2682012A0407AFEF453B1552,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024493Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:02.286{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6277A0E9FCB3600AA8CE884B9DF48833,SHA256=0A39C2BA2A8EE7E51BA770BE37FA8897947A818A78A4723777992E905AE3649A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008499Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:48:03.902{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1ADEC23DB6AA2F3D609509502C4AE349,SHA256=7A9F23D6EF28AE35991355D6568696B98522D01BED93A52EB296B4896466AE65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024494Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:03.302{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF73B61837F6F68585F9A687D1100DEC,SHA256=4EA1A62F8893BD1C41FDE3EFBFDF5EA029869F03A7ACE3C1268EA365CB6D06EE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000008498Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:48:02.248{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49958-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000008500Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:48:04.996{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7371347A17BF03E18C0EB5208762DAC5,SHA256=1154B8E4EEBCC55B7935DA6D20C5FFF13533A8F779867B5E0181AFEBD79386E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024495Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:04.318{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A45AC7B904CD4A1E6122242246D3FEDC,SHA256=13F50412007A3D6AF1B9CE50699ED796BBCB6C3333F802B484AD00589B559E76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024496Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:05.444{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87FAB231CBF40ECEA69E0761A17A07FE,SHA256=0414707765DF612FCFC7481D2259A584DCDEF38176A749AF80CB66CDE2B1B025,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024498Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:06.444{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7383D6476CB58E687496642D8A7240A,SHA256=AA91E638BC36AEE477EBE8BA19C7BE2C695BA713FE8951AE1162D10D38DDE4F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008502Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:48:06.734{49C67628-FDEC-615B-1F00-00000000FC01}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04b3958ebc31dc11b\channels\health\respondent-20211005072534-021MD5=9DBD3CF651CAD1963D7DD9E70795396E,SHA256=D00FE5240C0E39CC33FD8ADFFDA13197E8833401D0A3D05F731F6A79B8E00229,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008501Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:48:06.199{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECB14962A7D4D027A9E6568262F2B4B6,SHA256=437A8161F1C3037FE6502E3D9EFD2D0523C0072732BFD7CCD3AB47B8F4B5C872,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024497Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:03.862{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local50200-false10.0.1.12-8000- 23542300x800000000000000024499Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:07.444{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E654E67921E796153FF497F9207C39FB,SHA256=76987495CA1CFCADAEDBF90560B8BCE3517DCC56CA168F556978EA033B6890C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008504Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:48:07.747{49C67628-FDEC-615B-1F00-00000000FC01}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04b3958ebc31dc11b\channels\health\surveyor-20211005072532-022MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008503Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:48:07.262{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35F6687CF0625DD8CC100BCB6CBA2B77,SHA256=7123D87542EB47004AAD285B7A550605582F4C7107FB06D71318A3B1EDB2FADA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008505Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:48:08.263{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB68A30AD78C7C1B8EAF823C7F2C197F,SHA256=E49E736BFD7DC1211E381218877FDF14AC04D0D58BD988036B23E5442F9E7B39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024500Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:08.444{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8D4E907FF7EC8795735B5C1278D663A,SHA256=7EC66A59628587B83838F6FD5230009E863BFE9F0C93BE474BDBDC3FEE9736E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000008507Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:48:08.122{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49959-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000008506Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:48:09.279{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58DF0A1E414C5785F9CE2300559BBBC3,SHA256=248778CAFAC6DB7FC09378271F44EEBC36930C5A409BA8DAC3A77758FC42F397,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024501Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:09.460{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3712FEAECEA21B692D3898F52C471642,SHA256=0BCCD3366120D7736FF600124D26964A384E6C865D5C00819BBBC33765E22277,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008508Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:48:10.450{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B84815FC7FDBEFEA23A4852CAF9CDD90,SHA256=57BEC5C847CA98998113F2BB36C7FE55C506B8A3B82C216A9C4D05669FB5011D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024502Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:10.460{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BAE22E5CA8B2C1D2ECD52FC73C2AF54,SHA256=7441C374C45B3213913F2B84C612C02666EEE869A354F192D23A6BFEAAFC6100,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008509Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:48:11.685{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4AE358E7D513DBC48B41BA9C2533788,SHA256=8ED95412EBEE3ADA4E3E977CD4A2CC33B3C0B24B200A30CBE861016C22664D94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024504Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:11.460{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D899CCFC2763BCDF70EB956FEEC21BA,SHA256=7F8A9F1419EAEE02908B74189787D83A069F87813A84437774AF52D85244A12E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024503Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:09.770{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local50201-false10.0.1.12-8000- 23542300x80000000000000008510Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:48:12.700{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=777A7729C9E9FBD75BB4E393213D6223,SHA256=BE9EDD2D177329B4B940B205BA4238324954A719B0DB97BC98E479B6419B7636,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024505Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:12.647{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFC3648CFE589BDCF2FBB9C9F319ECC7,SHA256=14C6AF3D0D3F648AED4959CE971A65898A65E6CF0344424F312BF83D40719BC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008511Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:48:13.935{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5118CAB6C2966E9B3E7F4129281E0FA6,SHA256=0B20B6C4842E30647A3A6331A16F5E8E353E76B9586B76F33EB284596CAB2E39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024506Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:13.663{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B97374C0635D1C836E5A6E7B93487939,SHA256=3DB85A96C142241AD1E054ED8F4B5CD93C7D70C764F7E63D5EAEE5F7D83DBB25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024507Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:14.678{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75BF6447C75DF238F79B66F9332FAA81,SHA256=39884AF61A0B82F88EB54DB0C1A9B940D0F52593F8C14B46715ACDB28BC41A4C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000008512Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:48:13.280{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49960-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000024508Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:15.694{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D0898A46117BF54EBAACE7E58EC5A09,SHA256=C8DFFA01D0CE847A10B6CD9153B89938431254FB346926765F9A35137D7275B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008513Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:48:14.997{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3BF56D61B04E90CB40E78620E4B2A9C,SHA256=02761180CF487095552A7E0DAC4B827B079834BCDF4620505014112727E52FFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024509Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:16.710{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8BA6DC0416BC5226AA4F8866A5B4F77,SHA256=16A63B008687EA8CE5CC2521827F4006EA7ACA32E7EAD57701E2A214269AEDF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008514Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:48:16.216{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7161AE635442BB1C612F460EB815F8B5,SHA256=0B227344B541800B41B23B757A5B08AE596B73F1D53C04E94E3E69905ED8C609,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024512Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:17.712{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60858A13BFE5102175A9E3A365CC641B,SHA256=D67E583BABE27636DD205C1AA6D40C208D2906DD51149B3C8DFCE5680C51FD45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008515Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:48:17.232{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB6B187FA6A775DA72CC7E377A152A7E,SHA256=0A0F0D34E57A6F3538C72AA4C575659E4DB118171C6B97DF61EFA78EA0833569,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024511Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:17.335{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BDAABEEFBAE7807D654BED8D0632917D,SHA256=87EA4EA2DC9F1B95CB7DB3F41B3913FE70D542484C4446945AD2C4BCC7D87EF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024510Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:17.335{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BC3AC1A26CCDCA1449EA3CC62ECBC607,SHA256=A182CBE2DCC7CE520D932DE96F41C1F876EF9C9BB47A70B71922146F4761FE3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024516Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:18.728{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8121ADC732AC31C3A6AA3F1771C7986,SHA256=3B4CA19F2D200DA81C10F8671F9164082D6F963F9B4A777460344AA14E3AAD52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008516Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:48:18.266{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3355132D89E8F213FBD3740D962B1568,SHA256=D6109CABF4F7CD904BA1B488FDB5F2FA1F265B37F8F61D27B0DC837018C65F61,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024515Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:15.942{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local50203-true0:0:0:0:0:0:0:1win-dc-676.attackrange.local389ldap 354300x800000000000000024514Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:15.942{6EDEAD03-FC2A-615B-2900-00000000FB01}2912C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local50203-true0:0:0:0:0:0:0:1win-dc-676.attackrange.local389ldap 354300x800000000000000024513Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:15.645{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local50202-false10.0.1.12-8000- 13241300x800000000000000024520Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:48:19.931{6EDEAD03-FC2A-615B-2D00-00000000FB01}1000C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\8EFF07E0-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_8EFF07E0-0000-0000-0000-100000000000.XML 13241300x800000000000000024519Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:48:19.931{6EDEAD03-FC2A-615B-2D00-00000000FB01}1000C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\3921F692-FD43-40E6-838A-1597F7469C61\Config SourceDWORD (0x00000001) 13241300x800000000000000024518Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 07:48:19.931{6EDEAD03-FC2A-615B-2D00-00000000FB01}1000C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\3921F692-FD43-40E6-838A-1597F7469C61\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_3921F692-FD43-40E6-838A-1597F7469C61.XML 23542300x800000000000000024517Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:19.744{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C458DE0867A40A50C9A77107ED8B551,SHA256=92E7E2DB74A70344CB7F1688BCE195E89D092BB703E8AD04D310A4390035412A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008517Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:48:19.328{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=241D25014FB3C234C7BB31CC3342DDCB,SHA256=2569EA091AB72EBAA140ABF5AE12A9FD61E80EC530F3CC2D588F8DB00218CF8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024521Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:20.759{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=801CC46FAFDA84849A152FB3DDD25A1D,SHA256=2525F3B702B471E3318F7C86359DEB3CF6F94A83DC7C3B257B062C4DA688E7E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000008520Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:48:19.049{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49961-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000008519Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:48:20.453{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E29839503326ADA9CD32DC2D1D793226,SHA256=F4EA6E4EA680B6AB0D48DAECA0A59130FE4083D35244203152B1D30A538B24BB,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000008518Microsoft-Windows-Sysmon/Operationalwin-host-340-SetValue2021-10-05 07:48:20.031{49C67628-FDEC-615B-1500-00000000FC01}104C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b9bd-0x5d8ede5e) 22542200x800000000000000024533Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:19.917{6EDEAD03-FC2A-615B-2D00-00000000FB01}1000win-dc-676.attackrange.local0fe80::b879:39b3:8bb9:e640;::ffff:10.0.1.14;C:\Windows\System32\dfsrs.exe 23542300x800000000000000024532Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:21.775{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D6D8178263E4D178C9CE4BEE5620EB0,SHA256=C5A5BB24F6F6BECCAFB311AF418AD5A65E13C68EE1EB318B71AB2EAE54E5CAA5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000008522Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:48:20.048{49C67628-FDEC-615B-1500-00000000FC01}104C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal123ntpfalse169.254.169.123-123ntp 23542300x80000000000000008521Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:48:21.594{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=042A5C28B44A64E03298EB112BFA204B,SHA256=2B7910702AA2B44D49E9BC536F0F7EF0890B2981BD4B647DAF4F67FAAB7A84DD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024531Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:19.558{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local50206-truefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local389ldap 354300x800000000000000024530Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:19.558{6EDEAD03-FC2A-615B-2D00-00000000FB01}1000C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local50206-truefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local389ldap 354300x800000000000000024529Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:19.549{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local50205-truefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local389ldap 354300x800000000000000024528Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:19.549{6EDEAD03-FC2A-615B-2D00-00000000FB01}1000C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local50205-truefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local389ldap 354300x800000000000000024527Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:19.524{6EDEAD03-FC1D-615B-0D00-00000000FB01}908C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local50204-truefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local135epmap 354300x800000000000000024526Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:19.524{6EDEAD03-FC2A-615B-2D00-00000000FB01}1000C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local50204-truefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local135epmap 10341000x800000000000000024525Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:21.369{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC1D-615B-1500-00000000FB01}1240C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024524Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:21.369{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC1D-615B-1500-00000000FB01}1240C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024523Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:21.369{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC1D-615B-1500-00000000FB01}1240C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000024522Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:21.134{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BDAABEEFBAE7807D654BED8D0632917D,SHA256=87EA4EA2DC9F1B95CB7DB3F41B3913FE70D542484C4446945AD2C4BCC7D87EF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024534Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:22.775{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BBFF6D268BA512E98231005A796A539,SHA256=181EAB570DF929C95E73CF126C344C67FB053DA211DD8D6E39FC36AF87E1E980,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008523Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:48:22.703{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=377B49B97C71CE25B0916FB882013CD6,SHA256=4C58C3E86639973CA7CD895AC059814E3AAD76F65D286B2174246C5D9AF18D5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024536Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:23.947{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6E40CA5921E3E85085A1196B9DF539D,SHA256=C8EAD024BBBECD9527C7D60D495B8B0B2C7167D9ABFAFC84CC32D763B21DD933,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008524Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:48:23.938{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D8B3E8081B9EA682F31FEC506E09E67,SHA256=FB172060CD62C1A9CF07173986095021F23F840E38807B5110EC95C3AB44821F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024535Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:20.741{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local50207-false10.0.1.12-8000- 23542300x800000000000000024537Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:25.072{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21A3AAA18F022C1D875CA7E589515708,SHA256=8115316FE3BD1686016F4E8B154BD577497BAB01F5D344BBA2C95F5CE8590E4F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000008526Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:48:24.158{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49962-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000008525Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:48:25.000{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9232ADCD2612A0B40132FB7E5539CFE,SHA256=DDC1905CF4C6278918961001392315D811A721FE79F31AD9B957128B053BAE9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024538Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:26.228{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9160255452FD96849A5BCE980FFE2A0F,SHA256=38E5F3316B11C8D3A8ABD8B5A011970D455DA305060A6C6814478B5945D5B276,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008527Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:48:26.141{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33FD8022DD5388819DAA817078A0B476,SHA256=7CF3278486BE4B26234655A0293D3FA2F8DA6A4BAD7A57B06B1DA8E436A9CF64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024539Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:27.338{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2438E4501CED83BEF0063B1287B239B2,SHA256=6E80850C28A94CFBE87C0AFFDA3308A52C154BFA0F75872FAC3C479F1214EFF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008528Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:48:27.297{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED0180633A349AB8CF18FD56855B8DA2,SHA256=E14FA11CCE643E5CC213B1037642688E06D839E363A1689A49A256F9123A7A47,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024541Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:26.695{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local50208-false10.0.1.12-8000- 23542300x800000000000000024540Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:28.338{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDA1D0B866FE1D99397D895D540C167C,SHA256=8F521E33C0E8F6F7124E72274FC7EB914D80D93495FA4520DE8ED1CE6097CC05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008529Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:48:28.329{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27EAC973327CE943FD79C560E9EE838D,SHA256=E6BE0CE03DBE48671BA70AD49BBE72F9558DCFF9345D74895E975B7CAA87F61E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008530Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:48:29.344{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FCC4E9B49F55D6CCEB2ADB2253A9623,SHA256=080941749103AA9A8B5FB3826E266448D1E029DAD0C0DD981B6DD5998E0DC7CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024542Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:29.338{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45602431EA7D0382D6C743719EA4E594,SHA256=564071C49F5EDFE38BAEA863BCB6BE9E72A836B9A79B808BB41F059B97642FE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024543Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:30.353{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79EF9CDEC57E20A3A461AC7EDCB0A350,SHA256=D870DA727172475C12A1F666501FD465292F07A73EAF18C64C997DF34C17C9FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008531Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:48:30.344{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A5F64DFD5A3A560E3301064E1940C54,SHA256=4BCDF4CC9DA42435235412883104407C993D7E6E20309EEE23AB3520D32C4CB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024544Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:31.384{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E75C6F2388DF7AC361AA269A7CC7F5E,SHA256=21E130F51EFDA99201DD8BD44C22A779579C1BBDDA93973C35D0BD7DF9C12C8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008532Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:48:31.360{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20AEE1D59EBB914D6B1434C12AA8E818,SHA256=2DC2E0145056216A717A5B67B419D4341E26C52B9C6435ECE744DA73F2EBBB6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024545Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:32.431{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45CB6AF949882C7E3D9800581CED6C74,SHA256=5C0BDFD38B3BE19FA2F73256A04A67B73BE6773C0F2EFD62F7E206AD779C2D36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008535Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:48:32.360{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5693DD677C99AA551F3B1C368E443DE,SHA256=01D639EBE226DC660B50054992C56700D9A92D34F3C9005E9E31F92E3D8A80A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008534Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:48:32.219{49C67628-FDEB-615B-1100-00000000FC01}964NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=6BA019E3BE25CE0FEA12FBACF188CFBD,SHA256=0A345EF063D0F92A2241D52C1DC1DF59680345F4E58378ED0D3E759793AF53BD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000008533Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:48:30.143{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49963-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000008536Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:48:33.360{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCB0542E90F1FF326B8F6CF850CF36CF,SHA256=1A7FE3A2F9409E8EB737CF5999E4F258188756779F6A656EE7891827249DCD41,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024547Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:31.804{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local50209-false10.0.1.12-8000- 23542300x800000000000000024546Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:33.431{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6CE5CF61F6085B1D68F994D2508AA1F,SHA256=FB73D489D7D01CFF550ECF83B3D026DE3B9E0B37FA71934ED7BC29014A7D74DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024548Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:34.447{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0683567FC952EFE7F8689BE0EE972D0,SHA256=C14E3E3869D405C57DBA05EDF5786017AD1C224B47116B89BF44C923C912244B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008537Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:48:34.375{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CFD565178AA243966DD000812322AC5,SHA256=470B4678B7B283FF1BA25509CBB62CBFFCD394BB133B4CF598D8991B0D64B804,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024549Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:35.525{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31EA6303DAE1E415124559B19A641C19,SHA256=0B8BB41B5A5E16AE293B33BCAB94221D9F9C0EF7EB442FF2AFBCC275682D71C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008538Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:48:35.375{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFDBF07B4A5EE12500317F25A1BD6863,SHA256=CE55F5985086FF92DB870515CA6E5921B474C3DF7D11391BF2DDC552CAC6632C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024550Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:36.775{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA6E59F7D21A366C5CF927E104135EC8,SHA256=4BCF0AEBE5FAF7B7AC645AC7E106B33D4C4A2C6556809154E6600614536B50E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008539Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:48:36.375{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F5932917456BAB24EF7301D3269C793,SHA256=CFBDB90133531C248E5D1BA1DB22A19AA6678CB93F8E619112EAE45236A5B1FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008541Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:48:37.375{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B8FB48225EB29D7B26267D48E087EAB,SHA256=DE58E3744370868851F8DE2FD1330E5F371DF39CF02E89595C35127A5C37C93D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000008540Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:48:35.142{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49964-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000008542Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:48:38.380{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E72C7218EE2E4F1A625B9C72C56B8C12,SHA256=832B5E6FB037DFF64C7987394D5C13D9F7D0A48C6EF2BE2710E0DCB9A90E4B68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024552Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:38.874{6EDEAD03-FCBF-615B-AF00-00000000FB01}416NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=77A3FAE6E3D081057742F67BE17D48F0,SHA256=B45196262D41012541FDA928C2D6D89C531ACA10A8054FE8E2047913CDE27561,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024551Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:37.999{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42653C695DF5010A8A63C313CB33B878,SHA256=CB74D780385965DAD7360A10EF72BFAED36B28A406C717D552DC508EB3DF591C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008543Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:48:39.380{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C93F9A3FA522093B9F24D01C37C06D2F,SHA256=BF8657FABE7DD31A2FD0BB25B4E95FB8066C680CE99E45991D572EB144A92392,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024553Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:38.999{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94280FF95699EEF5B62EBE169158C856,SHA256=BA455D267E6E4D1D52DEFCA1F5864835EEC27DA45E41A00E785A9F42F65F2D54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008544Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:48:40.505{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEE3230823CB814A0D4966AE2CACB003,SHA256=DA5621F93B29703C0729E55770C77457048B894B403D38BD3F359AFBB48C0633,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024572Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:40.905{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-0358-615C-5305-00000000FB01}5732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024571Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:40.905{6EDEAD03-FC1D-615B-0C00-00000000FB01}848304C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024570Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:40.905{6EDEAD03-FC1D-615B-0C00-00000000FB01}848304C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024569Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:40.905{6EDEAD03-FC1D-615B-0C00-00000000FB01}848304C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024568Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:40.905{6EDEAD03-FC1D-615B-0C00-00000000FB01}848304C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024567Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:40.905{6EDEAD03-FC1A-615B-0500-00000000FB01}412428C:\Windows\system32\csrss.exe{6EDEAD03-0358-615C-5305-00000000FB01}5732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000024566Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:40.905{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-0358-615C-5305-00000000FB01}5732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000024565Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:40.906{6EDEAD03-0358-615C-5305-00000000FB01}5732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000024564Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:40.233{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-0358-615C-5205-00000000FB01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024563Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:40.233{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024562Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:40.233{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024561Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:40.233{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024560Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:40.233{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024559Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:40.233{6EDEAD03-FC1A-615B-0500-00000000FB01}4122304C:\Windows\system32\csrss.exe{6EDEAD03-0358-615C-5205-00000000FB01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000024558Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:40.233{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-0358-615C-5205-00000000FB01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000024557Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:40.234{6EDEAD03-0358-615C-5205-00000000FB01}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000024556Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:38.465{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local50211-false10.0.1.12-8089- 354300x800000000000000024555Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:37.778{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local50210-false10.0.1.12-8000- 23542300x800000000000000024554Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:40.014{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E0DB0385ABB0A6C219A39F5258D5DB3,SHA256=BD0C1B8FD5B46C2ABD5F163BC42F79FF83169C2E4AA918DFEF5F34E43E487291,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008545Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:48:41.646{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=363939F59A39947E9A42B460ED305ECD,SHA256=40E3E4EDFCEB90EC8807A04C1AB27AE83C24EDBDBAD4C9872B6ED8E326372D79,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024584Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:41.514{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-0359-615C-5405-00000000FB01}4380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024583Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:41.514{6EDEAD03-FC1D-615B-0C00-00000000FB01}848304C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024582Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:41.514{6EDEAD03-FC1D-615B-0C00-00000000FB01}848304C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024581Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:41.514{6EDEAD03-FC1D-615B-0C00-00000000FB01}848304C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024580Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:41.514{6EDEAD03-FC1D-615B-0C00-00000000FB01}848304C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024579Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:41.514{6EDEAD03-FC1A-615B-0500-00000000FB01}4122304C:\Windows\system32\csrss.exe{6EDEAD03-0359-615C-5405-00000000FB01}4380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000024578Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:41.514{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-0359-615C-5405-00000000FB01}4380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000024577Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:41.515{6EDEAD03-0359-615C-5405-00000000FB01}4380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000024576Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:41.467{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82CF3C163474F50DA8FD329B568C662F,SHA256=AE57731443385803F60C97942A23F9EFD0C5C35072DD069956E60069ECB00D98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024575Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:41.467{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6CE055CBBB548F956D37B4337B482FD6,SHA256=72DE9061DC89AA3F4B181943105F1932A7C23EEBF900E0C5D20E27BFD26B0E69,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024574Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:41.077{6EDEAD03-0358-615C-5305-00000000FB01}57324516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000024573Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:41.045{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C53B400618E6458CAFB1999C146558A,SHA256=29399B651E78A1031C7AA30C136F6B3F4533CA34C85D065832ED4FDDFB44FE1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008547Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:48:42.724{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75EA4C121C71C9C5C8FA861D321726B3,SHA256=F475443E76F67986ADEB375F4CC27A76915CABEEFA9B90AC5994A4334D2AD53E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024595Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:42.717{6EDEAD03-035A-615C-5505-00000000FB01}19084220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000024594Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:42.608{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82CF3C163474F50DA8FD329B568C662F,SHA256=AE57731443385803F60C97942A23F9EFD0C5C35072DD069956E60069ECB00D98,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024593Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:42.577{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-035A-615C-5505-00000000FB01}1908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024592Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:42.577{6EDEAD03-FC1D-615B-0C00-00000000FB01}848304C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024591Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:42.577{6EDEAD03-FC1D-615B-0C00-00000000FB01}848304C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024590Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:42.577{6EDEAD03-FC1D-615B-0C00-00000000FB01}848304C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024589Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:42.577{6EDEAD03-FC1D-615B-0C00-00000000FB01}848304C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024588Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:42.577{6EDEAD03-FC1A-615B-0500-00000000FB01}412428C:\Windows\system32\csrss.exe{6EDEAD03-035A-615C-5505-00000000FB01}1908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000024587Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:42.577{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-035A-615C-5505-00000000FB01}1908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000024586Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:42.577{6EDEAD03-035A-615C-5505-00000000FB01}1908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000024585Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 07:48:42.108{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D11FB8CC625B065C0B821D92CAFFAAD2,SHA256=A7BC41FB3506F944B15130B6CDD8B1BD7B96A112482522601B43352E26338D4D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000008546Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:48:40.194{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal49965-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000008548Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 07:48:43.193{49C67628-FE68-615B-9F00-00000000FC01}1772NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=77A3FAE6E3D081057742F67BE17D48F0,SHA256=B45196262D41012541FDA928C2D6D89C531ACA10A8054FE8E2047913CDE27561,IMPHASH=00000000000000000000000000000000falsetrue