23542300x800000000000000012067Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:35.189{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADCD6C1B55B3D29899863AAD3D7E3481,SHA256=293F1D2EFE4B52491BF142D6F40E4678C4F25FB8C87DB5AC1443CC56C63F7482,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000012075Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:35.757{5ADF971D-290E-6137-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-228.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal58491- 354300x800000000000000012074Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:35.756{5ADF971D-290E-6137-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-228.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal50361- 354300x800000000000000012073Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:35.756{5ADF971D-290E-6137-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-228.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal58998- 354300x800000000000000012072Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:35.755{5ADF971D-290E-6137-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-228.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal61404- 354300x800000000000000012071Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:35.755{5ADF971D-290E-6137-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-228.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal61142- 354300x800000000000000012070Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:35.725{5ADF971D-290E-6137-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-228.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal62449- 354300x800000000000000012069Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:35.708{5ADF971D-290E-6137-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-228.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal64344- 23542300x800000000000000012068Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:36.236{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8234684C34286392B16AFD23971C18B5,SHA256=09AD723F93BAED3EC945CAAC30C6B14417B282660E9FA552E7618AE7A5DEE9CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000012079Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:36.164{5ADF971D-290E-6137-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-228.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal50970- 354300x800000000000000012078Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:36.075{5ADF971D-290E-6137-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-228.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal61440- 354300x800000000000000012077Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:36.056{5ADF971D-290E-6137-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-228.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal64130- 23542300x800000000000000012076Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:37.240{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8D7B58299D12CE0481E9F90DC9FC09F,SHA256=DA57E5242686347D373D6431AB4758EA53C882FDD1AB1F088E9FFBAA34D5E0F7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000012081Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:37.075{5ADF971D-290E-6137-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local62039- 23542300x800000000000000012080Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:38.272{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BE6441BECF7AAEEF753FBEC76E4CF55,SHA256=1C4896D5F51C27D4FC452E9389C4A7276568A1CC949FEDDE1E52BCBAA7C86255,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000012083Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:39.050{5ADF971D-290E-6137-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-228.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49274- 23542300x800000000000000012082Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:39.318{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25E1F2852F85F930BE7BED6FCD64AA46,SHA256=24BB56931FA9519E9C78FE720C0CAFD140BEE73B9259205C28FD654D32DC04E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000012085Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:39.548{5ADF971D-2918-6137-6D00-00000000F001}4080C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60426-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000012084Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:40.333{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60A5665A5722BC4D4210A3B54A366677,SHA256=2F5FA7838C951722D418455E383831D90051FC800DCA02D7C0E02B70493F6A39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012086Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:41.349{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10CF432521F35BA26C359973D4BD9D63,SHA256=788FEBB924605EF21E53FC1FAA1DA22C7E67FBCF55AEFD892B1B6743F16011D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012087Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:42.380{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CF6E92B420F40039E350E4BB5445406,SHA256=00E176C2FC20EB37428B4A3475D201318FAEEF18E17EC0655D19958AA1F68DF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012090Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:43.442{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7897C5EC974FCC7CBA4153E7A521AA3B,SHA256=EC6542BAEDECA5F880ACE8059FD2249ACD8541C57FF5D4ACF10FAC85CF59CBB8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000012089Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:42.114{5ADF971D-290E-6137-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-228.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal52848- 354300x800000000000000012088Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:41.378{5ADF971D-290E-6137-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-228.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal51165- 23542300x800000000000000012091Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:44.473{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=581286578317B49356FD46E860F3CA3D,SHA256=E24EC90C7FE64D81363F3DD5117C4DB0A4F95ED1E6E2007B097952384A1E1116,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012092Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:45.488{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=278DF84F05971D18A43F31F261F2D64A,SHA256=8B475FE28F00128A186AD5F01CFD0E74EFF812FE7B1C8BCFB6C2E46B8D516014,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012093Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:46.504{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=878C873D5246A2C90A412A09514CA318,SHA256=61EFEE4258D79643F4C61F6045821930AC78FCEE2A50271E276F33AE1C7EACF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012101Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:47.675{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=155C8C263984C4957E7203B8F1B33F9C,SHA256=DF9AB1DB71E9B5FC97D2C9F01FBA3B353A29A397C92FD192A7D241966EDA2F40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012100Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:47.675{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58F9F8B944EA1FBDAD5AFD476352706C,SHA256=F0BC28DC889C061F30A05E7647EC7C65B5FB6EB7239B8E655FE335F3A006DCD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012099Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:47.675{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B7FB880B91B692C6408A25913F576E00,SHA256=E3230400A8FF89A30DD3E32C30F4F1532AF2A3BB98F569AE5878D8D22CD2946E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000012098Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:45.900{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-228.attackrange.local389-false10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal54524- 354300x800000000000000012097Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:45.832{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-228.attackrange.local389-false10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal54523- 354300x800000000000000012096Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:45.830{5ADF971D-290E-6137-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-228.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal54521- 354300x800000000000000012095Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:45.830{5ADF971D-290E-6137-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-228.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal64509- 354300x800000000000000012094Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:45.329{5ADF971D-2918-6137-6D00-00000000F001}4080C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60427-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000012162Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:47.243{5ADF971D-290E-6137-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-228.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal53221- 23542300x800000000000000012161Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:48.816{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F64CF56E626EAF10A5CF6B2FEE53C6C3,SHA256=2F34292A64DBE04FF3E006CE8416A95C755167968C299DF783DAA13C3906778D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000012160Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:47.085{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49731-false10.0.1.14win-dc-228.attackrange.local389ldap 354300x800000000000000012159Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:47.084{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49730-false10.0.1.14win-dc-228.attackrange.local389ldap 354300x800000000000000012158Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:47.076{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49729-false10.0.1.14win-dc-228.attackrange.local88kerberos 354300x800000000000000012157Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:47.075{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49728-false10.0.1.14win-dc-228.attackrange.local88kerberos 354300x800000000000000012156Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:47.072{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49727-false10.0.1.14win-dc-228.attackrange.local88kerberos 354300x800000000000000012155Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:47.038{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49726-false10.0.1.14win-dc-228.attackrange.local389ldap 354300x800000000000000012154Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:47.038{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49725-false10.0.1.14win-dc-228.attackrange.local389ldap 354300x800000000000000012153Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:46.969{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-228.attackrange.local389-false10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal57492- 354300x800000000000000012152Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:46.963{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49724-false10.0.1.14win-dc-228.attackrange.local88kerberos 354300x800000000000000012151Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:46.962{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49723-false10.0.1.14win-dc-228.attackrange.local88kerberos 354300x800000000000000012150Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:46.947{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49722-false10.0.1.14win-dc-228.attackrange.local88kerberos 354300x800000000000000012149Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:46.946{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49721-false10.0.1.14win-dc-228.attackrange.local88kerberos 354300x800000000000000012148Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:46.944{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49720-false10.0.1.14win-dc-228.attackrange.local389ldap 354300x800000000000000012147Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:46.934{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49719-false10.0.1.14win-dc-228.attackrange.local88kerberos 354300x800000000000000012146Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:46.934{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-228.attackrange.local389-false10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal57491- 354300x800000000000000012145Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:46.934{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49718-false10.0.1.14win-dc-228.attackrange.local49676- 354300x800000000000000012144Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:46.933{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49717-false10.0.1.14win-dc-228.attackrange.local49666- 354300x800000000000000012143Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:46.933{5ADF971D-290E-6137-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-228.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal57490- 354300x800000000000000012142Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:46.931{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-228.attackrange.local389-false10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal58421- 354300x800000000000000012141Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:46.930{5ADF971D-28FE-6137-0D00-00000000F001}888C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49715-false10.0.1.14win-dc-228.attackrange.local135epmap 354300x800000000000000012140Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:46.930{5ADF971D-28FE-6137-0D00-00000000F001}888C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49716-false10.0.1.14win-dc-228.attackrange.local135epmap 354300x800000000000000012139Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:46.930{5ADF971D-290E-6137-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-228.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal58420- 354300x800000000000000012138Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:46.820{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-228.attackrange.local389-false10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal52478- 354300x800000000000000012137Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:46.819{5ADF971D-290E-6137-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-228.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal52477- 354300x800000000000000012136Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:46.772{5ADF971D-290E-6137-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-228.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal64731- 354300x800000000000000012135Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:46.750{5ADF971D-290E-6137-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-228.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal53759- 354300x800000000000000012134Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:46.745{5ADF971D-290E-6137-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-228.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal62223- 354300x800000000000000012133Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:46.745{5ADF971D-290E-6137-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-228.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal56832- 354300x800000000000000012132Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:46.710{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-228.attackrange.local389-false10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal57133- 354300x800000000000000012131Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:46.709{5ADF971D-290E-6137-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-228.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal57132- 354300x800000000000000012130Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:46.706{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-228.attackrange.local389-false10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal51537- 354300x800000000000000012129Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:46.704{5ADF971D-290E-6137-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-228.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal51536- 354300x800000000000000012128Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:46.703{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49714-false10.0.1.14win-dc-228.attackrange.local88kerberos 354300x800000000000000012127Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:46.702{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49713-false10.0.1.14win-dc-228.attackrange.local88kerberos 354300x800000000000000012126Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:46.689{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49711-false10.0.1.14win-dc-228.attackrange.local88kerberos 354300x800000000000000012125Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:46.688{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49710-false10.0.1.14win-dc-228.attackrange.local88kerberos 354300x800000000000000012124Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:46.673{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49709-false10.0.1.14win-dc-228.attackrange.local88kerberos 354300x800000000000000012123Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:46.673{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49708-false10.0.1.14win-dc-228.attackrange.local88kerberos 354300x800000000000000012122Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:46.655{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49707-false10.0.1.14win-dc-228.attackrange.local389ldap 354300x800000000000000012121Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:46.637{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49706-false10.0.1.14win-dc-228.attackrange.local88kerberos 354300x800000000000000012120Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:46.556{5ADF971D-28F9-6137-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49705-false10.0.1.14win-dc-228.attackrange.local445microsoft-ds 354300x800000000000000012119Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:46.555{5ADF971D-28F9-6137-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49704-false10.0.1.14win-dc-228.attackrange.local445microsoft-ds 354300x800000000000000012118Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:46.554{5ADF971D-28F9-6137-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49703-false10.0.1.14win-dc-228.attackrange.local445microsoft-ds 354300x800000000000000012117Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:46.499{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49702-false10.0.1.14win-dc-228.attackrange.local49666- 354300x800000000000000012116Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:46.495{5ADF971D-28FE-6137-0D00-00000000F001}888C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49701-false10.0.1.14win-dc-228.attackrange.local135epmap 354300x800000000000000012115Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:46.482{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49700-false10.0.1.14win-dc-228.attackrange.local88kerberos 354300x800000000000000012114Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:46.481{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49699-false10.0.1.14win-dc-228.attackrange.local88kerberos 354300x800000000000000012113Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:46.480{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49698-false10.0.1.14win-dc-228.attackrange.local88kerberos 354300x800000000000000012112Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:46.477{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49697-false10.0.1.14win-dc-228.attackrange.local389ldap 354300x800000000000000012111Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:46.471{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49696-false10.0.1.14win-dc-228.attackrange.local88kerberos 354300x800000000000000012110Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:46.469{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49695-false10.0.1.14win-dc-228.attackrange.local88kerberos 354300x800000000000000012109Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:46.465{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49694-false10.0.1.14win-dc-228.attackrange.local88kerberos 354300x800000000000000012108Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:46.459{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49693-false10.0.1.14win-dc-228.attackrange.local88kerberos 354300x800000000000000012107Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:46.394{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-228.attackrange.local389-false10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal60997- 354300x800000000000000012106Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:46.383{5ADF971D-290E-6137-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-228.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal60995- 354300x800000000000000012105Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:46.377{5ADF971D-28F9-6137-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49692-false10.0.1.14win-dc-228.attackrange.local445microsoft-ds 354300x800000000000000012104Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:46.375{5ADF971D-290E-6137-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-228.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal63327- 354300x800000000000000012103Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:46.369{5ADF971D-290E-6137-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-228.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal65488- 354300x800000000000000012102Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:45.959{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-228.attackrange.local389-false10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal54525- 23542300x800000000000000012163Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:49.815{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2277E929B4B46140BCE94298F88BC3C6,SHA256=E5F25783C39733C827CCC90785571C9653331C60998D088826E403BC0678B99E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012165Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:50.831{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53E50B74E6DB934F119AA42C64E9F8B0,SHA256=85012E5138B870D3ED244253C7B146367A3789CD38296CD0EE4F52A1BBE7A79C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000012164Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:47.244{5ADF971D-290E-6137-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-228.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal61122- 23542300x800000000000000012167Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:51.875{5ADF971D-290E-6137-2D00-00000000F001}3020NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0073eacd0895a4f95\channels\health\respondent-20210907085544-005MD5=3A908804D0573FF7380F514264884FB3,SHA256=C81D2F048F52EDBC4290754297EEBE81A82636336939823758E35E4C6AD1E005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012166Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:51.842{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BFAF3B02D56968A1D9AB69AAA989FB7,SHA256=3108301F583D0D3291B64AAA17F46444AF30F985EE790C8CC11217375EB76211,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012170Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:52.874{5ADF971D-290E-6137-2D00-00000000F001}3020NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0073eacd0895a4f95\channels\health\surveyor-20210907085542-006MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012169Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:52.858{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DB7BA0BC2D609F6BFF11FC9C1463A8F,SHA256=30AE5435CF52E4500FD74F29F82A242564317B4A77E02EAE0E7E68739290BB9A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000012168Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:50.392{5ADF971D-2918-6137-6D00-00000000F001}4080C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60428-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000012173Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:53.858{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE17BE97F7C6848CD34CC11E916781F0,SHA256=9E399DC68AA76E4F1AE346036A61F17F3FFAFC37A8668602C980E931EE88C87A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000012172Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:51.641{5ADF971D-290E-6137-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-228.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal52756- 354300x800000000000000012171Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:51.640{5ADF971D-290E-6137-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-228.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal51421- 23542300x800000000000000012203Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:54.983{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ADD33FB4894A69DE1D7D2667EF0FD923,SHA256=C2524078FD9152234B10740FD2863770A365E13065F85847BE7032E98E251AF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012202Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:54.983{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=155C8C263984C4957E7203B8F1B33F9C,SHA256=DF9AB1DB71E9B5FC97D2C9F01FBA3B353A29A397C92FD192A7D241966EDA2F40,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000012201Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:54.873{5ADF971D-290F-6137-3700-00000000F001}33603380C:\Windows\system32\conhost.exe{5ADF971D-2A82-6137-BE00-00000000F001}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012200Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:54.873{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012199Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:54.873{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012198Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:54.873{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012197Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:54.873{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012196Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:54.873{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012195Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:54.873{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012194Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:54.873{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012193Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:54.873{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012192Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:54.873{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012191Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:54.873{5ADF971D-28FB-6137-0500-00000000F001}408404C:\Windows\system32\csrss.exe{5ADF971D-2A82-6137-BE00-00000000F001}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000012190Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:54.873{5ADF971D-290E-6137-2C00-00000000F001}29804040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ADF971D-2A82-6137-BE00-00000000F001}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000012189Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:54.765{5ADF971D-2A82-6137-BE00-00000000F001}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ADF971D-28FC-6137-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5ADF971D-290E-6137-2C00-00000000F001}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000012188Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:54.873{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75AE01C58755A10B729FBB13165BAD23,SHA256=3A2102E2429BA4B8EF2CE2AC3CD7770F2956F78F68731AC4B2BC989AE906A979,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000012187Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:52.758{5ADF971D-290E-6137-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-228.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal56863- 10341000x800000000000000012186Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:54.092{5ADF971D-290F-6137-3700-00000000F001}33603380C:\Windows\system32\conhost.exe{5ADF971D-2A81-6137-BD00-00000000F001}4908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012185Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:54.077{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012184Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:54.077{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012183Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:54.077{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012182Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:54.077{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012181Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:54.077{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012180Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:54.077{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012179Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:54.077{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012178Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:54.077{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012177Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:54.077{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012176Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:54.077{5ADF971D-28FB-6137-0500-00000000F001}408524C:\Windows\system32\csrss.exe{5ADF971D-2A81-6137-BD00-00000000F001}4908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000012175Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:54.077{5ADF971D-290E-6137-2C00-00000000F001}29804040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ADF971D-2A81-6137-BD00-00000000F001}4908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000012174Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:53.968{5ADF971D-2A81-6137-BD00-00000000F001}4908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ADF971D-28FC-6137-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5ADF971D-290E-6137-2C00-00000000F001}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000012219Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:55.967{5ADF971D-290F-6137-3700-00000000F001}33603380C:\Windows\system32\conhost.exe{5ADF971D-2A83-6137-BF00-00000000F001}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012218Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:55.967{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012217Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:55.967{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012216Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:55.967{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012215Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:55.967{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012214Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:55.967{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012213Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:55.967{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012212Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:55.967{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012211Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:55.967{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012210Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:55.967{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012209Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:55.967{5ADF971D-28FB-6137-0500-00000000F001}408424C:\Windows\system32\csrss.exe{5ADF971D-2A83-6137-BF00-00000000F001}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000012208Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:55.951{5ADF971D-290E-6137-2C00-00000000F001}29804040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ADF971D-2A83-6137-BF00-00000000F001}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000012207Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:55.780{5ADF971D-2A83-6137-BF00-00000000F001}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ADF971D-28FC-6137-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5ADF971D-290E-6137-2C00-00000000F001}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000012206Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:55.904{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AC96300D112A2FFFE3E1EF39466A5D3,SHA256=3410FF542D0CA3969D96541595480B10150398BF9387D72306461951A1E7E79D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000012205Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:52.759{5ADF971D-290E-6137-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-228.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal51956- 10341000x800000000000000012204Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:55.014{5ADF971D-2A82-6137-BE00-00000000F001}50045000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5ADF971D-290E-6137-2C00-00000000F001}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000012221Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:56.934{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43061E3CDAB4ABBAC5583797F17B7365,SHA256=A601715B5768C2D0C0EE4850B76A073DFB3F7160A9C9ADA65A305B263CC6F69E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012220Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:56.217{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ADD33FB4894A69DE1D7D2667EF0FD923,SHA256=C2524078FD9152234B10740FD2863770A365E13065F85847BE7032E98E251AF6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000012238Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:57.668{5ADF971D-2A85-6137-C000-00000000F001}48524052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5ADF971D-290E-6137-2C00-00000000F001}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012237Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:57.543{5ADF971D-290F-6137-3700-00000000F001}33603380C:\Windows\system32\conhost.exe{5ADF971D-2A85-6137-C000-00000000F001}4852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012236Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:57.543{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012235Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:57.543{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012234Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:57.543{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012233Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:57.543{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012232Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:57.543{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012231Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:57.543{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012230Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:57.543{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012229Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:57.543{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012228Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:57.543{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012227Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:57.543{5ADF971D-28FB-6137-0500-00000000F001}408524C:\Windows\system32\csrss.exe{5ADF971D-2A85-6137-C000-00000000F001}4852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000012226Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:57.543{5ADF971D-290E-6137-2C00-00000000F001}29804040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ADF971D-2A85-6137-C000-00000000F001}4852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000012225Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:57.419{5ADF971D-2A85-6137-C000-00000000F001}4852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ADF971D-28FC-6137-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5ADF971D-290E-6137-2C00-00000000F001}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000012224Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:56.404{5ADF971D-2918-6137-6D00-00000000F001}4080C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60430-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000012223Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:55.530{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local60429-true0:0:0:0:0:0:0:1win-dc-228.attackrange.local389ldap 354300x800000000000000012222Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:55.530{5ADF971D-290E-6137-2B00-00000000F001}2948C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local60429-true0:0:0:0:0:0:0:1win-dc-228.attackrange.local389ldap 10341000x800000000000000012254Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:58.480{5ADF971D-2A86-6137-C100-00000000F001}36883684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5ADF971D-290E-6137-2C00-00000000F001}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000012253Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:58.449{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8D845F47BC758687CE17086B25A513FD,SHA256=3FCF3ED2902EB6009205EE9951B5955B41C9543D77E70F5E9C329D101D3C1C6D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000012252Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:58.355{5ADF971D-290F-6137-3700-00000000F001}33603380C:\Windows\system32\conhost.exe{5ADF971D-2A86-6137-C100-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012251Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:58.355{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012250Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:58.355{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012249Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:58.355{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012248Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:58.355{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012247Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:58.355{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012246Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:58.355{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012245Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:58.355{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012244Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:58.355{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012243Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:58.355{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012242Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:58.355{5ADF971D-28FB-6137-0500-00000000F001}408424C:\Windows\system32\csrss.exe{5ADF971D-2A86-6137-C100-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000012241Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:58.355{5ADF971D-290E-6137-2C00-00000000F001}29804040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ADF971D-2A86-6137-C100-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000012240Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:58.356{5ADF971D-2A86-6137-C100-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5ADF971D-28FC-6137-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5ADF971D-290E-6137-2C00-00000000F001}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000012239Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:57.996{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF3A082D5EC12F8E8C437F1306C42983,SHA256=B462DC8CE8CD32EA4D54751875626B35576A9F2F57C9EB3D54DB500B8B32E8F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012270Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:59.917{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E525D5A1DBB7621CA87271F8C58777FA,SHA256=D206D385E8F8F8FE892C509387E0B110A9DB56972EFDAE9588F6E427CD62FD91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012269Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:59.370{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02E0EB2360A1F65F99CA634B2F9A0735,SHA256=BB6BDE8E22935EE78DF3AA24D8132DDE6F7B77D37C9ADD013938CD69F7DB8E1F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000012268Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:59.136{5ADF971D-2A86-6137-C200-00000000F001}41604168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5ADF971D-290E-6137-2C00-00000000F001}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012267Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:58.996{5ADF971D-290F-6137-3700-00000000F001}33603380C:\Windows\system32\conhost.exe{5ADF971D-2A86-6137-C200-00000000F001}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012266Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:58.996{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012265Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:58.996{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012264Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:58.996{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012263Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:58.996{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012262Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:58.996{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012261Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:58.996{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012260Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:58.996{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012259Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:58.996{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012258Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:58.996{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012257Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:58.996{5ADF971D-28FB-6137-0500-00000000F001}408404C:\Windows\system32\csrss.exe{5ADF971D-2A86-6137-C200-00000000F001}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000012256Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:58.996{5ADF971D-290E-6137-2C00-00000000F001}29804040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ADF971D-2A86-6137-C200-00000000F001}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000012255Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:01:58.887{5ADF971D-2A86-6137-C200-00000000F001}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ADF971D-28FC-6137-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5ADF971D-290E-6137-2C00-00000000F001}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000012284Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:00.620{5ADF971D-290F-6137-3700-00000000F001}33603380C:\Windows\system32\conhost.exe{5ADF971D-2A88-6137-C300-00000000F001}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012283Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:00.620{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012282Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:00.620{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012281Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:00.620{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012280Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:00.620{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012279Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:00.620{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012278Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:00.620{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012277Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:00.620{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012276Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:00.620{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012275Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:00.620{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012274Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:00.620{5ADF971D-28FB-6137-0500-00000000F001}408404C:\Windows\system32\csrss.exe{5ADF971D-2A88-6137-C300-00000000F001}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000012273Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:00.620{5ADF971D-290E-6137-2C00-00000000F001}29804040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ADF971D-2A88-6137-C300-00000000F001}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000012272Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:00.621{5ADF971D-2A88-6137-C300-00000000F001}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ADF971D-28FC-6137-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5ADF971D-290E-6137-2C00-00000000F001}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000012271Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:00.152{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4BB1E7077B30CAB98D4A4BF87ECB5DE,SHA256=88E721CF931A553A1B63AA142E99A1DB4A270FDE87EBD43BE2C66E73F942DFCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012286Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:01.620{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8C02F1A641E920119E1B49A74B3D38A3,SHA256=0AE78AB22D90010D12F018595502D86EFD5C871DAD25C959C956B8BD749E3258,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012285Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:01.183{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9CAEAB7BA8A614459B2F5B74AC3F107,SHA256=190A6FDFBEAF25DECC44EAB213CF157783176431A15F39D09A5C41873E3D1D1D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000012288Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:01.449{5ADF971D-2918-6137-6D00-00000000F001}4080C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60431-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000012287Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:02.198{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FB9E9B70EC4CCA158F32E9FEEEB9FE0,SHA256=FC3ABDB58D654B246F4308FB098B7F0F56D8D8A4A242CA4BD448ADB2E36922A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012301Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:03.854{5ADF971D-290E-6137-2C00-00000000F001}2980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C08546E92454963B64320306AC6A1BD6,SHA256=150EC52DC458C47E70142B8094447ADDABACEC2DC20EBCAF41DE42B9422118CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000012300Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:03.142{5ADF971D-290E-6137-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-228.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal50725- 354300x800000000000000012299Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:03.141{5ADF971D-290E-6137-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-228.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal62609- 354300x800000000000000012298Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:03.141{5ADF971D-290E-6137-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-228.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49581- 354300x800000000000000012297Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:03.137{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49668-false10.0.1.14win-dc-228.attackrange.local88kerberos 354300x800000000000000012296Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:03.118{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49667-false10.0.1.14win-dc-228.attackrange.local88kerberos 354300x800000000000000012295Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:03.110{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49666-false10.0.1.14win-dc-228.attackrange.local389ldap 354300x800000000000000012294Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:03.108{5ADF971D-290E-6137-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-228.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal52344- 354300x800000000000000012293Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:03.106{5ADF971D-290E-6137-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-228.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal56414- 354300x800000000000000012292Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:03.045{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-228.attackrange.local389-false10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal64024- 354300x800000000000000012291Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:03.041{5ADF971D-290E-6137-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-228.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal64022- 354300x800000000000000012290Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:03.038{5ADF971D-290E-6137-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-228.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal62665- 23542300x800000000000000012289Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:03.213{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4B7F6201D937EA113F8624086DF0420,SHA256=186F9D3FB0F041174708033ED16F68137E76BB34EBA05C6AD57C85CBF80B6A2A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000012347Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:03.665{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49710-false10.0.1.14win-dc-228.attackrange.local88kerberos 354300x800000000000000012346Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:03.664{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49709-false10.0.1.14win-dc-228.attackrange.local88kerberos 354300x800000000000000012345Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:03.655{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49708-false10.0.1.14win-dc-228.attackrange.local88kerberos 354300x800000000000000012344Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:03.646{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49707-false10.0.1.14win-dc-228.attackrange.local49666- 354300x800000000000000012343Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:03.641{5ADF971D-28FE-6137-0D00-00000000F001}888C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49706-false10.0.1.14win-dc-228.attackrange.local135epmap 354300x800000000000000012342Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:03.595{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49705-false10.0.1.14win-dc-228.attackrange.local389ldap 354300x800000000000000012341Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:03.593{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49704-false10.0.1.14win-dc-228.attackrange.local389ldap 354300x800000000000000012340Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:03.566{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49703-false10.0.1.14win-dc-228.attackrange.local389ldap 354300x800000000000000012339Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:03.549{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49700-false10.0.1.14win-dc-228.attackrange.local88kerberos 354300x800000000000000012338Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:03.533{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49698-false10.0.1.14win-dc-228.attackrange.local389ldap 354300x800000000000000012337Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:03.528{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-228.attackrange.local389-false10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal58190- 354300x800000000000000012336Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:03.527{5ADF971D-290E-6137-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-228.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal58189- 354300x800000000000000012335Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:03.519{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49695-false10.0.1.14win-dc-228.attackrange.local389ldap 354300x800000000000000012334Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:03.493{5ADF971D-290E-6137-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-228.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal64470- 354300x800000000000000012333Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:03.488{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-228.attackrange.local389-false10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal54654- 354300x800000000000000012332Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:03.485{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49694-false10.0.1.14win-dc-228.attackrange.local389ldap 354300x800000000000000012331Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:03.466{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49692-false10.0.1.14win-dc-228.attackrange.local389ldap 354300x800000000000000012330Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:03.466{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49693-false10.0.1.14win-dc-228.attackrange.local88kerberos 354300x800000000000000012329Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:03.465{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49691-false10.0.1.14win-dc-228.attackrange.local88kerberos 354300x800000000000000012328Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:03.460{5ADF971D-28F9-6137-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49690-false10.0.1.14win-dc-228.attackrange.local445microsoft-ds 354300x800000000000000012327Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:03.457{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49689-false10.0.1.14win-dc-228.attackrange.local88kerberos 354300x800000000000000012326Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:03.457{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49688-false10.0.1.14win-dc-228.attackrange.local88kerberos 354300x800000000000000012325Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:03.456{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49687-false10.0.1.14win-dc-228.attackrange.local49666- 354300x800000000000000012324Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:03.456{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49686-false10.0.1.14win-dc-228.attackrange.local88kerberos 354300x800000000000000012323Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:03.442{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49685-false10.0.1.14win-dc-228.attackrange.local88kerberos 354300x800000000000000012322Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:03.420{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49684-false10.0.1.14win-dc-228.attackrange.local88kerberos 354300x800000000000000012321Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:03.420{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49683-false10.0.1.14win-dc-228.attackrange.local88kerberos 354300x800000000000000012320Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:03.419{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49681-false10.0.1.14win-dc-228.attackrange.local49666- 354300x800000000000000012319Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:03.419{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49682-false10.0.1.14win-dc-228.attackrange.local49666- 354300x800000000000000012318Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:03.418{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49680-false10.0.1.14win-dc-228.attackrange.local49676- 354300x800000000000000012317Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:03.418{5ADF971D-28FE-6137-0D00-00000000F001}888C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49678-false10.0.1.14win-dc-228.attackrange.local135epmap 354300x800000000000000012316Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:03.418{5ADF971D-28FE-6137-0D00-00000000F001}888C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49679-false10.0.1.14win-dc-228.attackrange.local135epmap 354300x800000000000000012315Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:03.417{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-228.attackrange.local389-false10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal54653- 354300x800000000000000012314Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:03.414{5ADF971D-28FE-6137-0D00-00000000F001}888C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49677-false10.0.1.14win-dc-228.attackrange.local135epmap 354300x800000000000000012313Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:03.414{5ADF971D-290E-6137-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-228.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal54652- 23542300x800000000000000012312Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:04.244{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18C1FD226CBE05C9676E296381AC1ACF,SHA256=30B0D60ABE16CD958A014F8E12AE4788530EE92F3B2A86F1727F8F2AA53DE4E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012311Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:04.104{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5C78F2C3DA40CCC614031F42C6BEE0DB,SHA256=A4E1BDAF96187F664E1049E154C613F307D617153B81B060B4B57737A6298D55,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000012310Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:03.348{5ADF971D-290E-6137-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-228.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal60491- 354300x800000000000000012309Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:03.318{5ADF971D-290E-6137-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-228.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal52571- 354300x800000000000000012308Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:03.312{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-228.attackrange.local389-false10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal51986- 354300x800000000000000012307Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:03.235{5ADF971D-290E-6137-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-228.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal51984- 354300x800000000000000012306Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:03.231{5ADF971D-290E-6137-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-228.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal53033- 354300x800000000000000012305Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:03.204{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-228.attackrange.local389-false10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal60914- 354300x800000000000000012304Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:03.204{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-228.attackrange.local389-false10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal60913- 354300x800000000000000012303Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:03.200{5ADF971D-290E-6137-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-228.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal60911- 354300x800000000000000012302Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:03.158{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49670-false10.0.1.14win-dc-228.attackrange.local88kerberos 354300x800000000000000012353Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:04.169{5ADF971D-290E-6137-2C00-00000000F001}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60432-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x800000000000000012352Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:03.672{5ADF971D-28F9-6137-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49713-false10.0.1.14win-dc-228.attackrange.local445microsoft-ds 354300x800000000000000012351Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:03.670{5ADF971D-28F9-6137-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49712-false10.0.1.14win-dc-228.attackrange.local445microsoft-ds 354300x800000000000000012350Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:03.669{5ADF971D-28F9-6137-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49711-false10.0.1.14win-dc-228.attackrange.local445microsoft-ds 23542300x800000000000000012349Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:05.463{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01AA7C86313F41DABD9A0761871BD503,SHA256=6634E6DF180E47A3E6453CD9140545B43767D3F690D1E504066EA9BB5E183721,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012348Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:05.088{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA4FB5CA039FE01C71FF211A8768E6BE,SHA256=13ABF6185571955A2B8C6D09366EA2A04041BFFE37E8E0AD099B1A951CCDDF5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012355Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:06.650{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8410EC401E1F4CE68BB31CCF2B389CDF,SHA256=98C891F1DA715F9BCF08CF94AC315096129344AA3368E336030C293C83D5F224,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012354Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:06.478{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A7E49186033F075EF8F4245CFD0E793,SHA256=235F51D35BC9BAFBA18129164449B60B89403C0A4DBF9D461D32597ECE6D4681,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000012365Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:06.558{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49729-false10.0.1.14win-dc-228.attackrange.local49666- 354300x800000000000000012364Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:06.556{5ADF971D-28FE-6137-0D00-00000000F001}888C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49701-false10.0.1.14win-dc-228.attackrange.local135epmap 354300x800000000000000012363Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:06.012{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49728-false10.0.1.14win-dc-228.attackrange.local88kerberos 354300x800000000000000012362Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:06.011{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49727-false10.0.1.14win-dc-228.attackrange.local88kerberos 354300x800000000000000012361Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:06.010{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49726-false10.0.1.14win-dc-228.attackrange.local88kerberos 354300x800000000000000012360Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:06.003{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49725-false10.0.1.14win-dc-228.attackrange.local389ldap 354300x800000000000000012359Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:05.981{5ADF971D-290E-6137-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-228.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal52422- 354300x800000000000000012358Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:05.979{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49724-false10.0.1.14win-dc-228.attackrange.local389ldap 354300x800000000000000012357Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:05.938{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49723-false10.0.1.14win-dc-228.attackrange.local389ldap 23542300x800000000000000012356Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:07.493{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0B149AA094DC3969A6F30BDC05A8BD4,SHA256=F9F23AE0D7C206B33054C5757A02348B60108C1FE3BCDA314CF479280A1810E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012367Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:08.728{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9200520942C64A23C4C035582619BC6B,SHA256=E93138ACEC64F7B6C7FE3BE824732FDCCEEB293F060733D8631A313C5D7C607D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012366Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:08.524{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E3DFBE4E6E34B1AE68698226E18BD2C,SHA256=895963A81D835A9BAABA5CE6DAD222F77CE12BAA27F6E95F983E052F41BCCA71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012377Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:09.540{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC14FF13EC40DE976182CE19D1014B98,SHA256=DE036F2FCAC4B32D3710940D192A2E0891804FFD85D24526CF667ED8D53E7629,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000012376Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:08.053{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local60434-true0:0:0:0:0:0:0:1win-dc-228.attackrange.local389ldap 354300x800000000000000012375Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:08.053{5ADF971D-290E-6137-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local60434-true0:0:0:0:0:0:0:1win-dc-228.attackrange.local389ldap 354300x800000000000000012374Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:08.052{5ADF971D-290E-6137-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-228.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal54956- 354300x800000000000000012373Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:08.050{5ADF971D-290E-6137-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49346-false10.0.1.14win-dc-228.attackrange.local53domain 354300x800000000000000012372Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:08.049{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49733-false10.0.1.14win-dc-228.attackrange.local88kerberos 354300x800000000000000012371Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:08.047{5ADF971D-290E-6137-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-228.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal57137- 354300x800000000000000012370Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:08.046{5ADF971D-290E-6137-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-228.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal60159- 354300x800000000000000012369Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:07.783{5ADF971D-290E-6137-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-228.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal57680- 354300x800000000000000012368Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:07.481{5ADF971D-2918-6137-6D00-00000000F001}4080C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60433-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000012378Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:10.586{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B6C3B2A9CD10D5045141E28702CB647,SHA256=9E235790ACAACDE853D0201170CDB4F85A0C641862FFBBDA02387D6625B395C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012379Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:11.586{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4826E69FD5D7B2585AB79EE3409AD18E,SHA256=0FCFA7EAD0FEE904683B2DB9B9F83B3E113FC0EA09B932029825E4A9409EDA42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012380Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:12.617{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00396FEBCABA647C7C0DD534C0029416,SHA256=0D00FD358E0058C97FB513ADBBC535A3767CFEE04E3835CB746B28C5A8AB1FF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012382Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:13.633{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=660B28E74CB2CEEC4A1DF74D20C52436,SHA256=10DBA2CC40D27E9C4823B638C4AF9A87C349D32F934CFC71F16FDF105F3B479F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000012381Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:11.912{5ADF971D-290E-6137-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-228.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal56216- 23542300x800000000000000012387Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:14.726{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8644919164CB16C20DD210ED498A4DEC,SHA256=3C220865B5C2100F777D1F859A8B2F87DD1C6DCE9296D8A4C7DCAEB847526EB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012386Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:14.726{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE36C7591CD98E779BC8EBC52E32FA39,SHA256=143A16A2B19F55F82CFF1A32BFC5D889B3418062AC0C46E1EB1A1EA1EE9D0BB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012385Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:14.632{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC4DD4F22A210C63C54ACA22E7C975B1,SHA256=C600A6265024EA30740DBD597BAFDB5F00651D7819C35B770D3117C85A8A28B2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000012384Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:13.000{5ADF971D-290E-6137-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-228.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal54297- 354300x800000000000000012383Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:12.991{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-228.attackrange.local389-false10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal56217- 23542300x800000000000000012394Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:15.648{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C89E449F013FAA65FB79ED6712D7083,SHA256=7E02360DA823530A51CE815B7793182414A865BE5D1D657FEC87A8248B40087C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000012393Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:13.962{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49353-false10.0.1.14win-dc-228.attackrange.local88kerberos 354300x800000000000000012392Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:13.961{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49352-false10.0.1.14win-dc-228.attackrange.local88kerberos 354300x800000000000000012391Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:13.960{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49351-false10.0.1.14win-dc-228.attackrange.local88kerberos 354300x800000000000000012390Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:13.953{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49350-false10.0.1.14win-dc-228.attackrange.local389ldap 354300x800000000000000012389Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:13.847{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-228.attackrange.local389-false10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal54299- 354300x800000000000000012388Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:13.481{5ADF971D-2918-6137-6D00-00000000F001}4080C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60435-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000012398Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:16.648{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC34C04B9A286BAF08416C26BF651F44,SHA256=1B99F289E724971DA1625DCCDD1E57CB1A4E8644D45A7E6C7EEC68467ACD493E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012397Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:16.241{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8644919164CB16C20DD210ED498A4DEC,SHA256=3C220865B5C2100F777D1F859A8B2F87DD1C6DCE9296D8A4C7DCAEB847526EB1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000012396Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:14.717{5ADF971D-290E-6137-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-228.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal59146- 354300x800000000000000012395Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:14.611{5ADF971D-28FE-6137-1100-00000000F001}380C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudpfalsefalse10.0.1.14win-dc-228.attackrange.local123ntpfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal123ntp 23542300x800000000000000012399Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:17.661{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F0B01020C93B78FDC354244E31EFE57,SHA256=1DF6B7A5278D6315E5DA86F7621D446A42A309C45E08E969B818EE2AA220A8FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012400Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:18.676{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB7C44A206D033BE1AC8E4710DBD907E,SHA256=5023643D89518A669DE3ECCB0EC12198C0474FBDFD0CCF9FC78AA43E185761E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012402Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:19.691{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DDAA13DDC1FFD36D3549C6F8B9A48DC,SHA256=0C077DCF43FCEA6EF906AA960AC429130A8DA766F550294EB868D671722F84AC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000012401Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:18.151{5ADF971D-290E-6137-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-228.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal51561- 23542300x800000000000000012404Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:20.691{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6F9F2DEB1F07E3BBC9A08E41DEBF658,SHA256=E28718AA96B9BFD33D92DBDDA81BCCE4148F08737A404291B1950C24FF1D3A59,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000012403Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:18.151{5ADF971D-290E-6137-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-228.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal59909- 23542300x800000000000000012406Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:21.706{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0608687F5F3999CD1201B7AA16447B5C,SHA256=8C0FE907AEE0F07E6FBF5AB698B86A2A1D6EEFC3F3349A50C7349ECB55653A7E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000012405Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:19.509{5ADF971D-2918-6137-6D00-00000000F001}4080C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60436-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000012407Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:22.722{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7B4250FA31FDA3381F5FB96A6C42EB1,SHA256=548BB3B193FD4FC1F03EE53C3D2EAF374C94BD84F228C36D0024B3176600D9DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012408Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:23.737{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB8C0D02AEB4C9AFD2001585756405EA,SHA256=A6C5F68CE6B4C516CCE4B4CE7EE497AB790D28ABABA8F2B0ED02F7F34AD9352E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012409Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:24.753{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4561D4B9496C9B36AF89F648A5D31BE,SHA256=D901DFA210DDFAFFC3A982AAFE1A19150D32025ADC98D0BC80ABAAF06797090E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012410Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:25.768{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A196FE7A4999DB2CA9EA4DBDF55315B,SHA256=6BB109D7F447B8B7B42F4DAD739ADA7F76BE75F339D83D879357913814D32D43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012413Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:26.783{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D8182829181CF34496148E705C948B6,SHA256=36F0DA84A67113AC144B70B5A14A57820A85E5246D40EA88824FB22B7CA4855D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000012412Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:25.541{5ADF971D-2918-6137-6D00-00000000F001}4080C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60437-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000012411Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:26.159{5ADF971D-28FE-6137-1000-00000000F001}372NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=E8586E63D4A7ABF4944B5A9CA62EE057,SHA256=EAD296CABCEACD7BB9BBBCF35028EFB187A3F077B630147D525D7D329DCD189A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012416Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:27.814{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48192BD182C102E837742335C39E5254,SHA256=A864FAFCF51679EB876E7CC29163C95CD53352E17EF99652281B091DA1A6586E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012415Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:27.424{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E069522853AD57C5151341D2E02D6188,SHA256=CF1F648CC340B5147DF0ABDE6894F02C3DBF32D9F0F252CD64FCAAEBD6ADDD85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012414Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:27.424{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A275603AB98E9F2E494A0D3BF3BB5CBF,SHA256=89F6902C36F5A607E7D79B0D603806934673045AEEAA64FE7838F2C0CED62F14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012417Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:28.845{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48CB31F1CFE81FCF8E2CC3CD89122909,SHA256=A5843107F285E7DCA3D954248127F86FF6A709701AB2D91FFE2F6CA4E1CC3398,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012418Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:29.845{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D19ECF513B4215990EF3F954A4D160A8,SHA256=895A0CA7EBEF992C165F8B420C382A76A8683D30504673EB8B83AA8B48C6E56D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012419Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:30.845{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96E53CC114FB25538F9A6F5197C4F74C,SHA256=A86D798C6EE1B504316BE2D037FD6BFCA7343B951612926BDEF75DDDA8A2BB14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012420Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:31.860{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6324ECC23A0DB131145AC37D1FB77C61,SHA256=138285094B41CA09057316BF4EC1B821EFBE5AA0D7878F90F059980E6B5E13A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012422Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:32.876{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AA92C467A1227CA13529BA4BEE4FF93,SHA256=4E5682D55FA312029861B22237E56A0ACD5418EAD7E4F2B18D9FD9EE22DF8802,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000012421Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:31.509{5ADF971D-2918-6137-6D00-00000000F001}4080C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60438-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000012423Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:33.891{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C20907D655B8C08251E6CE022909F3D9,SHA256=AC53DDD7ECB3477C5EB085B24D7905160106F7689E99ABC9123CE69932DB2982,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012424Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:34.907{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BA1386764777C27F146BAB3DF2A7E7A,SHA256=7FAD617F4028A81E626B6FE69C5960741E2F47664D4530412E16AF99FE098A05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012425Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:35.938{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB5AD5643603A0258ABAE672778AAC7A,SHA256=E3C91E22D83224ACB00B6F35D9CEF04BAD9A2B0DAC1C0A933F3E71B1F4E5C0EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012426Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:36.956{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=893265A7EF14A04BF2A4785391B63893,SHA256=75F668EB2F8DFF7B3B411704AE3874BB0CDB664EC6ECB04C192C257C1A3A845F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012427Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:37.987{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14707AC0AAAD21A290F0C27501D9EF9E,SHA256=1CBB1A0445342ED45F959A86D013AD3BE0C0D843367312F8DD35DAA099F005C1,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000012428Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-09-07 09:02:38.409{5ADF971D-28FE-6137-1100-00000000F001}380C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7a3c7-0x1b643c00) 354300x800000000000000012430Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:37.481{5ADF971D-2918-6137-6D00-00000000F001}4080C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60439-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000012429Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:39.002{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B128ADE4FB04DB5C82F5A235276C5E4,SHA256=5D654A55F0E2411068DA371842819C0DABED53AFB0631ABA237ECB4A1B9A9811,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012431Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:40.018{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B17A64E78DE3B35102EB78107795EC3,SHA256=985906665CAD3859F316AB7C4A36C94F8E520E0FC5CFF511D6FF68214AE2631F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012432Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:41.033{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBD352EA847AF3466C7EFB685C80BAC3,SHA256=A936E0FF150A4DABD0CC9DDE783E9A5EA8A4D76E92861ABFF1267468EFE85C79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012433Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:42.048{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBBFF7934C095A15A4A49D2E6B048217,SHA256=F740DBC91A3499D9B9C9756456DDA179EB99784C92111CE96FD5913015C34345,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000012435Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:42.512{5ADF971D-2918-6137-6D00-00000000F001}4080C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60440-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000012434Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:43.048{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78FC440C42EF69E0EC29B0AE92187A86,SHA256=58C22BC6821C09259F7A6F9E6E9679C225B6EDAAB08A02B52699C774A3BDA9C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012436Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:44.079{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EFDD2B6AB4263D35A691B77D755E057,SHA256=6F7F148447B594552116AC3A359B7A973F3150A9430731212634C2BE0D37A9E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012437Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:45.079{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FED43654DAD3A85B5CFFE7FF807B6B7D,SHA256=5AED87D3108DD9DDAAA046C5E198C43E854E1D13969BEF0C09D891F3642CCCD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012438Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:46.110{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCF930CD24F3F1CA61EB9134F1563271,SHA256=9C58061741516B71480EB30A61516C754C9BE5C1668630C2B8E3F5D2E540E8CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012439Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:47.110{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E41E8B29F98634EB681C023A27E28C5,SHA256=D3FF0BBE6FEB0FE16338FBCFD934BAB62299F35D2D43B3241509DCC630F063CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012440Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:48.125{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=823968EDB0508ED9951C3C33F045DC50,SHA256=EA796CCD646F59BBEC312FE86E8DC9AB18755A6D26417E05D1FEABE882CA9775,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000012442Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:48.528{5ADF971D-2918-6137-6D00-00000000F001}4080C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60441-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000012441Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:49.125{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F01F69758145E32CB29E8FF0FAB23FE1,SHA256=E7BFC6D50AC8BEB58951708675F5E2AF0120780E7E10C2DE1D289A905DA5F688,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012443Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:50.125{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD1ED86E817CFF5E5251512090E75945,SHA256=D363D53DB08FE46BF5ACD35701149F3572F40059188B323B0616219A45A008CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012444Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:51.156{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C9683402F36948FEA2532C4397891E8,SHA256=002753D4CCBBE3137411D2C4ABE19E491CACFC798B1A7019368A49A8981823CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012445Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:52.156{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3D9E54AF306FDDC1CF5453693D47252,SHA256=813163156ADFEF8484B1384BF84984889122633019F07437CDDB5857153F0B56,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000012460Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:53.970{5ADF971D-290F-6137-3700-00000000F001}33603380C:\Windows\system32\conhost.exe{5ADF971D-2ABD-6137-C400-00000000F001}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012459Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:53.970{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012458Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:53.970{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012457Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:53.970{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012456Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:53.970{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012455Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:53.970{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012454Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:53.970{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012453Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:53.970{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012452Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:53.970{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012451Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:53.970{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012450Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:53.970{5ADF971D-28FB-6137-0500-00000000F001}408404C:\Windows\system32\csrss.exe{5ADF971D-2ABD-6137-C400-00000000F001}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000012449Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:53.970{5ADF971D-290E-6137-2C00-00000000F001}29804040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ADF971D-2ABD-6137-C400-00000000F001}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000012448Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:53.970{5ADF971D-2ABD-6137-C400-00000000F001}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ADF971D-28FC-6137-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5ADF971D-290E-6137-2C00-00000000F001}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000012447Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:53.377{5ADF971D-290E-6137-2D00-00000000F001}3020NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0073eacd0895a4f95\channels\health\respondent-20210907085544-006MD5=3A908804D0573FF7380F514264884FB3,SHA256=C81D2F048F52EDBC4290754297EEBE81A82636336939823758E35E4C6AD1E005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012446Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:53.157{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=763744AD6D9270BB2B12CDA8304FDEA1,SHA256=D5712803D09CCF7F487C8E0F5B81CF40C9FA94BFAB5807C51421704CBCD5F2C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012479Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:54.971{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=16B5D0E4D41049804A3A410789FFDA19,SHA256=B46F20E14767E1FD0F09C23D60D08D63BC363BDC1FC13203E274C6B84E4CAAC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012478Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:54.971{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E069522853AD57C5151341D2E02D6188,SHA256=CF1F648CC340B5147DF0ABDE6894F02C3DBF32D9F0F252CD64FCAAEBD6ADDD85,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000012477Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:54.893{5ADF971D-2ABE-6137-C500-00000000F001}25604708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5ADF971D-290E-6137-2C00-00000000F001}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000012476Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:53.576{5ADF971D-2918-6137-6D00-00000000F001}4080C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60442-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000012475Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:54.765{5ADF971D-290F-6137-3700-00000000F001}33603380C:\Windows\system32\conhost.exe{5ADF971D-2ABE-6137-C500-00000000F001}2560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012474Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:54.765{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012473Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:54.765{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012472Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:54.765{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012471Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:54.765{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012470Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:54.765{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012469Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:54.765{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012468Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:54.765{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012467Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:54.765{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012466Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:54.765{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012465Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:54.765{5ADF971D-28FB-6137-0500-00000000F001}408404C:\Windows\system32\csrss.exe{5ADF971D-2ABE-6137-C500-00000000F001}2560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000012464Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:54.765{5ADF971D-290E-6137-2C00-00000000F001}29804040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ADF971D-2ABE-6137-C500-00000000F001}2560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000012463Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:54.766{5ADF971D-2ABE-6137-C500-00000000F001}2560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ADF971D-28FC-6137-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5ADF971D-290E-6137-2C00-00000000F001}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000012462Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:54.376{5ADF971D-290E-6137-2D00-00000000F001}3020NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0073eacd0895a4f95\channels\health\surveyor-20210907085542-007MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012461Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:54.157{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADBE8EE665485A3CE11734B1E7C6AC5F,SHA256=74B6C59B4E4BC256A060C8F07A67F521370FD9282A2B055251204F565AF671DB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000012493Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:55.767{5ADF971D-290F-6137-3700-00000000F001}33603380C:\Windows\system32\conhost.exe{5ADF971D-2ABF-6137-C600-00000000F001}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012492Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:55.767{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012491Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:55.767{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012490Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:55.767{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012489Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:55.767{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012488Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:55.767{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012487Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:55.767{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012486Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:55.767{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012485Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:55.767{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012484Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:55.767{5ADF971D-28FD-6137-0C00-00000000F001}832860C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012483Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:55.767{5ADF971D-28FB-6137-0500-00000000F001}408424C:\Windows\system32\csrss.exe{5ADF971D-2ABF-6137-C600-00000000F001}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000012482Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:55.767{5ADF971D-290E-6137-2C00-00000000F001}29804040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ADF971D-2ABF-6137-C600-00000000F001}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000012481Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:55.768{5ADF971D-2ABF-6137-C600-00000000F001}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ADF971D-28FC-6137-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5ADF971D-290E-6137-2C00-00000000F001}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000012480Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:55.158{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DEBC7C099D2C3E1A0E8CAF4A03E8612,SHA256=5FCA2A4A6C28C73DB32AF377D57C994B7A8BD2F04557D0B7109658B631062E9B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000012497Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:55.531{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local60443-true0:0:0:0:0:0:0:1win-dc-228.attackrange.local389ldap 354300x800000000000000012496Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:55.531{5ADF971D-290E-6137-2B00-00000000F001}2948C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local60443-true0:0:0:0:0:0:0:1win-dc-228.attackrange.local389ldap 23542300x800000000000000012495Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:56.424{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=16B5D0E4D41049804A3A410789FFDA19,SHA256=B46F20E14767E1FD0F09C23D60D08D63BC363BDC1FC13203E274C6B84E4CAAC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012494Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:56.158{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51E5C3578DD8863278E9CE861DEFFA73,SHA256=E668AFF7CBA3728300BCDD52ACFA419343EE2C3FDCF021840AF0BCABD45213AD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000012512Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:57.378{5ADF971D-2AC1-6137-C700-00000000F001}26724892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5ADF971D-290E-6137-2C00-00000000F001}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012511Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:57.253{5ADF971D-290F-6137-3700-00000000F001}33603380C:\Windows\system32\conhost.exe{5ADF971D-2AC1-6137-C700-00000000F001}2672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012510Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:57.253{5ADF971D-28FD-6137-0C00-00000000F001}832940C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012509Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:57.253{5ADF971D-28FD-6137-0C00-00000000F001}832940C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012508Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:57.253{5ADF971D-28FD-6137-0C00-00000000F001}832940C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012507Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:57.253{5ADF971D-28FD-6137-0C00-00000000F001}832940C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012506Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:57.253{5ADF971D-28FD-6137-0C00-00000000F001}832940C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012505Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:57.253{5ADF971D-28FD-6137-0C00-00000000F001}832940C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012504Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:57.253{5ADF971D-28FD-6137-0C00-00000000F001}832940C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012503Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:57.253{5ADF971D-28FD-6137-0C00-00000000F001}832940C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012502Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:57.253{5ADF971D-28FD-6137-0C00-00000000F001}832940C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012501Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:57.253{5ADF971D-28FB-6137-0500-00000000F001}408524C:\Windows\system32\csrss.exe{5ADF971D-2AC1-6137-C700-00000000F001}2672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000012500Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:57.253{5ADF971D-290E-6137-2C00-00000000F001}29804040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ADF971D-2AC1-6137-C700-00000000F001}2672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000012499Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:57.254{5ADF971D-2AC1-6137-C700-00000000F001}2672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ADF971D-28FC-6137-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5ADF971D-290E-6137-2C00-00000000F001}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000012498Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:57.159{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15D75526535B98BE263AEDCF4A30BDA1,SHA256=635DA16CF07C7759D29A379432EE9433FC533840DF9740940C4ED7DE42E6D453,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000012528Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:58.456{5ADF971D-2AC2-6137-C800-00000000F001}39364900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5ADF971D-290E-6137-2C00-00000000F001}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000012527Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:58.331{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C27EC2676FA5E7E735A285DD93167757,SHA256=D7B52155533FF6DBDE0D0C089FC9DC69BEA3302A3A74BF93E836231B4FD664C3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000012526Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:58.331{5ADF971D-290F-6137-3700-00000000F001}33603380C:\Windows\system32\conhost.exe{5ADF971D-2AC2-6137-C800-00000000F001}3936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012525Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:58.331{5ADF971D-28FD-6137-0C00-00000000F001}832940C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012524Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:58.331{5ADF971D-28FD-6137-0C00-00000000F001}832940C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012523Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:58.331{5ADF971D-28FD-6137-0C00-00000000F001}832940C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012522Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:58.331{5ADF971D-28FD-6137-0C00-00000000F001}832940C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012521Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:58.331{5ADF971D-28FD-6137-0C00-00000000F001}832940C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012520Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:58.331{5ADF971D-28FD-6137-0C00-00000000F001}832940C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012519Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:58.331{5ADF971D-28FD-6137-0C00-00000000F001}832940C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012518Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:58.331{5ADF971D-28FD-6137-0C00-00000000F001}832940C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012517Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:58.331{5ADF971D-28FD-6137-0C00-00000000F001}832940C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012516Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:58.331{5ADF971D-28FB-6137-0500-00000000F001}408524C:\Windows\system32\csrss.exe{5ADF971D-2AC2-6137-C800-00000000F001}3936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000012515Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:58.331{5ADF971D-290E-6137-2C00-00000000F001}29804040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ADF971D-2AC2-6137-C800-00000000F001}3936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000012514Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:58.331{5ADF971D-2AC2-6137-C800-00000000F001}3936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5ADF971D-28FC-6137-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5ADF971D-290E-6137-2C00-00000000F001}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000012513Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:58.206{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E12F17B12AF6ADA4074CAF1D85B8D1F,SHA256=B7ED91D30E51C087D14B1037715595449703B14115A2DA056CC3F989C7C34064,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012544Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:59.518{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=713D5EE079E9BE95EF6214DDAD706603,SHA256=F752F04B985CE2FD1C9B626ED71D10DF097F988A3CB7FD691204AB3EEC32EACB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012543Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:59.518{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=147F8FB484969732C9B6452E0E1FBEDF,SHA256=8391DF8760D38AD42AC717911171BCF0F6164B322FAA290BCA985C792F32C2EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000012542Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:59.127{5ADF971D-2AC3-6137-C900-00000000F001}5020640C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5ADF971D-290E-6137-2C00-00000000F001}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012541Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:59.002{5ADF971D-290F-6137-3700-00000000F001}33603380C:\Windows\system32\conhost.exe{5ADF971D-2AC3-6137-C900-00000000F001}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012540Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:59.002{5ADF971D-28FD-6137-0C00-00000000F001}832940C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012539Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:59.002{5ADF971D-28FD-6137-0C00-00000000F001}832940C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012538Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:59.002{5ADF971D-28FD-6137-0C00-00000000F001}832940C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012537Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:59.002{5ADF971D-28FD-6137-0C00-00000000F001}832940C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012536Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:59.002{5ADF971D-28FD-6137-0C00-00000000F001}832940C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012535Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:59.002{5ADF971D-28FD-6137-0C00-00000000F001}832940C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012534Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:59.002{5ADF971D-28FD-6137-0C00-00000000F001}832940C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012533Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:59.002{5ADF971D-28FD-6137-0C00-00000000F001}832940C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012532Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:59.002{5ADF971D-28FD-6137-0C00-00000000F001}832940C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012531Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:59.002{5ADF971D-28FB-6137-0500-00000000F001}408524C:\Windows\system32\csrss.exe{5ADF971D-2AC3-6137-C900-00000000F001}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000012530Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:59.002{5ADF971D-290E-6137-2C00-00000000F001}29804040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ADF971D-2AC3-6137-C900-00000000F001}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000012529Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:59.003{5ADF971D-2AC3-6137-C900-00000000F001}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ADF971D-28FC-6137-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5ADF971D-290E-6137-2C00-00000000F001}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000012558Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:00.596{5ADF971D-290F-6137-3700-00000000F001}33603380C:\Windows\system32\conhost.exe{5ADF971D-2AC4-6137-CA00-00000000F001}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012557Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:00.596{5ADF971D-28FD-6137-0C00-00000000F001}832940C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012556Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:00.596{5ADF971D-28FD-6137-0C00-00000000F001}832940C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012555Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:00.596{5ADF971D-28FD-6137-0C00-00000000F001}832940C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012554Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:00.596{5ADF971D-28FD-6137-0C00-00000000F001}832940C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012553Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:00.596{5ADF971D-28FD-6137-0C00-00000000F001}832940C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012552Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:00.596{5ADF971D-28FD-6137-0C00-00000000F001}832940C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012551Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:00.596{5ADF971D-28FD-6137-0C00-00000000F001}832940C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012550Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:00.596{5ADF971D-28FD-6137-0C00-00000000F001}832940C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012549Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:00.596{5ADF971D-28FD-6137-0C00-00000000F001}832940C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012548Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:00.596{5ADF971D-28FB-6137-0500-00000000F001}408524C:\Windows\system32\csrss.exe{5ADF971D-2AC4-6137-CA00-00000000F001}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000012547Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:00.596{5ADF971D-290E-6137-2C00-00000000F001}29804040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ADF971D-2AC4-6137-CA00-00000000F001}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000012546Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:00.596{5ADF971D-2AC4-6137-CA00-00000000F001}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ADF971D-28FC-6137-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5ADF971D-290E-6137-2C00-00000000F001}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000012545Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:00.565{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD243884BC23D2FEDE3FEDA4E4A540D3,SHA256=F6CA7918952BDDC72A2D693BE79FFC5A948E01117AB706ADED0AC5B189A8B0FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012561Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:01.814{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78C6957097091F76BB791DEAF69E9376,SHA256=62A4D8EA591F968F0C24714DFF791899FEC9E48546C0423D1D7FEA204BBF6528,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012560Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:01.580{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99A59906812361D8CC11E1F842DB1E88,SHA256=9762384573285863A52ED8172A7017BDE5A8AEE6A848D98EE0326A85001F1485,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000012559Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:02:59.517{5ADF971D-2918-6137-6D00-00000000F001}4080C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60444-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000012562Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:02.595{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=886F4B6E00271E04F258EB785A4E962D,SHA256=846C0F5BAE508D11333D9F329ED5C5D49BC77163565640D5857FDB53512027AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012564Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:03.861{5ADF971D-290E-6137-2C00-00000000F001}2980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C08546E92454963B64320306AC6A1BD6,SHA256=150EC52DC458C47E70142B8094447ADDABACEC2DC20EBCAF41DE42B9422118CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012563Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:03.626{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E230FB588FCDC1CBB617E8D12125EE2,SHA256=744E354DC057D622EEEFA44849B34D6049969B02C96FDD0E260581FCAC9A8626,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012565Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:04.689{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B76F479A2BC44F47479FF800E08C1F9,SHA256=A82D5F2ACAB3D85FB0F0718A17F48A38DD91ED354E34B7511C8219DE545910C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012567Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:05.720{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EE4DC0E541F66B35F7C29944AAF6094,SHA256=623535B872FBDB0FF8D1D8C0227A26590AF6BDE96CFD890D74E034478EFA1778,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000012566Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:04.188{5ADF971D-290E-6137-2C00-00000000F001}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60445-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000012568Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:06.751{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B24ACB8C854F9A76CCC60765BE18A3F3,SHA256=B93924D5F2B86C04A644F78A74EC7D6AEB1E69B09824FECE5DBA0B41167665CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012570Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:07.782{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB0F70372188F4E0B2A4D466C5015CD9,SHA256=BD75AB746D2EAE09A9D86930BB455B1001512E2720B56A479CC8E2BF6BD732D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000012569Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:05.516{5ADF971D-2918-6137-6D00-00000000F001}4080C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60446-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000012571Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:08.797{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83DF9A6A45CE890F8DD4F9C22EEEBB61,SHA256=0606565FD18EB99FD66D069D2EB9F9AF628CED76F6DD190D1947279C4DCC6165,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012572Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:09.813{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DAFD3F3A409DE17898726C821E99979,SHA256=857C39CB2D1BD620EDEBA866A99885FF496314E4C27D1784236F30FFB069F2BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012573Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:10.828{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E765BA4EC78E87E94A451E928DBD61B,SHA256=D8D2D4C71DD51B0A0C0E80CE1BCD0909D8DD541900BF51868DA8207B48CEF426,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012574Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:11.844{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6244D65D5375A34585DA427C6E27EA19,SHA256=B4A60DD836FEDA4E314C8ECA388A3755E37BEC1935EC248FA82763E785D15BAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012576Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:12.859{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64E1BC63F8EDEFCC04E893746FB6E53D,SHA256=88926ECA43F56AF48EBC1CB3904D55EA9D7CAF0176729EA920AB6D70AE8690A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000012575Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:11.501{5ADF971D-2918-6137-6D00-00000000F001}4080C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60447-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000012577Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:13.859{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=307425E0DABB7563E235BA1994918735,SHA256=1F57F3DB12997E3BC2C220DAA5A2FDE775C3128C84A5A32CB2BA193EAA916B3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012578Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:14.874{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD12CDDAAB10C1742BCB406046C2D3CC,SHA256=F15A73FE411E3150ACEE8D5D8BC625BFDBFD17ED986DF46AC7C02BAA24FBC085,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012579Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:15.890{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CBE038204FA66116F579437A332BF51,SHA256=AA11EC55681375CD89F69E5A8C54B9A35F2A1FD4518842DD27B3D4DFF0F4249A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012580Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:16.905{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1B43F81BEFBD963046009A64D5034CE,SHA256=DCDD79B8FC39B1526419D908CCB8392DC24CBEAF254275AF1EB517D6DAAF4EA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012581Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:17.933{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43FE017B88C3021A0D45A40CFE78BDE4,SHA256=DBABC190B5E7468B4C0A25392A86707CC4C5C5454EDA41ECD8F9D9F51D74E053,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012583Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:18.995{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15640142DDB0702932ED2979D9505BBA,SHA256=DF63BB467E9D804A7FDC8218A25AA8875CE212D9DC543AEC6E3D474A35CF79EA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000012582Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:17.482{5ADF971D-2918-6137-6D00-00000000F001}4080C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60448-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000012593Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:20.480{5ADF971D-2A4B-6137-B900-00000000F001}3880NT AUTHORITY\SYSTEMC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4349_none_7f09d74e21ec00ab\TiWorker.exeC:\Windows\System32\config\COMPONENTS{5a78f163-4b54-11e6-80cb-e41d2d012050}.TxR.blfMD5=2264A2E48E7BE5651856EE3E5CC7E941,SHA256=2C89F8EBFABDBBCE0101FB967FC28A50F6E03AAFB373D5EB2F06D7F39CC63276,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012592Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:20.480{5ADF971D-2A4B-6137-B900-00000000F001}3880NT AUTHORITY\SYSTEMC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4349_none_7f09d74e21ec00ab\TiWorker.exeC:\Windows\System32\config\COMPONENTS{5a78f163-4b54-11e6-80cb-e41d2d012050}.TxR.2.regtrans-msMD5=B6D81B360A5672D80C27430F39153E2C,SHA256=30E14955EBF1352266DC2FF8067E68104607E750ABB9D3B36582B8AF909FCB58,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x800000000000000012591Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:20.448{5ADF971D-2A4B-6137-B900-00000000F001}3880NT AUTHORITY\SYSTEMC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4349_none_7f09d74e21ec00ab\TiWorker.exeC:\Windows\System32\config\COMPONENTS{5a78f163-4b54-11e6-80cb-e41d2d012050}.TxR.1.regtrans-msMD5=B6D81B360A5672D80C27430F39153E2C,SHA256=30E14955EBF1352266DC2FF8067E68104607E750ABB9D3B36582B8AF909FCB58,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x800000000000000012590Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:20.433{5ADF971D-2A4B-6137-B900-00000000F001}3880NT AUTHORITY\SYSTEMC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4349_none_7f09d74e21ec00ab\TiWorker.exeC:\Windows\System32\config\COMPONENTS{5a78f163-4b54-11e6-80cb-e41d2d012050}.TxR.0.regtrans-msMD5=B40DDC4CFD50B912B0A61323CD7F4FEB,SHA256=B3A2A2E3336720271E863869BC3EA0CE49B6A8B068D4FA96DD1F18730E0E76E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012589Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:20.339{5ADF971D-2A4B-6137-B900-00000000F001}3880NT AUTHORITY\SYSTEMC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4349_none_7f09d74e21ec00ab\TiWorker.exeC:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT{5a78f17c-4b54-11e6-80cb-e41d2d012050}.TxR.blfMD5=19A0CB8318DE0795627D2599C70B472E,SHA256=467F52112229754A8D8283EE0CFDA0FDECBA92B6FBB156E1DE600751336C5BAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012588Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:20.323{5ADF971D-2A4B-6137-B900-00000000F001}3880NT AUTHORITY\SYSTEMC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4349_none_7f09d74e21ec00ab\TiWorker.exeC:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT{5a78f17c-4b54-11e6-80cb-e41d2d012050}.TxR.2.regtrans-msMD5=B6D81B360A5672D80C27430F39153E2C,SHA256=30E14955EBF1352266DC2FF8067E68104607E750ABB9D3B36582B8AF909FCB58,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x800000000000000012587Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:20.308{5ADF971D-2A4B-6137-B900-00000000F001}3880NT AUTHORITY\SYSTEMC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4349_none_7f09d74e21ec00ab\TiWorker.exeC:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT{5a78f17c-4b54-11e6-80cb-e41d2d012050}.TxR.1.regtrans-msMD5=B6D81B360A5672D80C27430F39153E2C,SHA256=30E14955EBF1352266DC2FF8067E68104607E750ABB9D3B36582B8AF909FCB58,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x800000000000000012586Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:20.292{5ADF971D-2A4B-6137-B900-00000000F001}3880NT AUTHORITY\SYSTEMC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4349_none_7f09d74e21ec00ab\TiWorker.exeC:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT{5a78f17c-4b54-11e6-80cb-e41d2d012050}.TxR.0.regtrans-msMD5=8A7F31E4FA3C8E2617498494A091D4CB,SHA256=95ED45DDDFF38BFFDB857D7CB682DC9CD866602DB4FE8BEFE28972D5A594DFC7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000012585Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:20.276{5ADF971D-2A4B-6137-B800-00000000F001}31563212C:\Windows\servicing\TrustedInstaller.exe{5ADF971D-2A4B-6137-B900-00000000F001}3880C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4349_none_7f09d74e21ec00ab\TiWorker.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\combase.dll+7d358|C:\Windows\servicing\TrustedInstaller.exe+43a2|C:\Windows\servicing\TrustedInstaller.exe+1d1d|C:\Windows\servicing\TrustedInstaller.exe+28c6|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000012584Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:20.026{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BF659C40CD3D8C3B2B749581CC5A080,SHA256=DF107C067DE322FBD3EDEBD69E4FB2A8F9F758A7655DDB9AEE423BF8FFB31506,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012594Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:21.026{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B3916C0680397611639C9B545D3157E,SHA256=964F970A7F7291DE3522E22A106456F45F9DF6B29B0C5B3C90DD16B0B8B06B29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012597Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:22.307{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=C21B1360EA13F98AF5D321A7984DDAAE,SHA256=D79EBDDC4ED467431B67153A0CE478E617B6393B63324A8D89E959E377FD6314,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012596Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:22.307{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=160B684A18AAC404930C4047E5A3E446,SHA256=6CCA1596FCF90CCABF146BE0B7476F872FCF9B641B23F45BAFC05E53B0E10AD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012595Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:22.042{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB9902A970BD0F878BCEA9C06B422A3B,SHA256=E68F0F22C82B35C42D03C5589CAC1EBD18EB1437F5B6B42D2E6C5E5A679E2E09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012598Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:23.042{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFAEDA18E957FADB0570ADEAEF8F2B01,SHA256=8094AAEA4CE828AF9374A70FD555D150A3C1E4D6C294EA9EC8EC3393C123CDC4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000012600Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:23.467{5ADF971D-2918-6137-6D00-00000000F001}4080C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60449-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000012599Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:24.073{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF556A96311240D5973ABDA465146E16,SHA256=03CB1985BAE42B167D8FF84291966E0F4FA328658D96B9F0694FFBEAA42628E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012601Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:25.119{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F77DD2C711E68E85332F711A05F82EDB,SHA256=89BAE8AAA475378B8498161CD2DC842D22F598F3FADB7D812A61CF9DB64A3F01,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000012622Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:26.744{5ADF971D-28FE-6137-0D00-00000000F001}8883924C:\Windows\system32\svchost.exe{5ADF971D-2927-6137-7D00-00000000F001}2248C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012621Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:26.744{5ADF971D-28FE-6137-0D00-00000000F001}8883924C:\Windows\system32\svchost.exe{5ADF971D-290F-6137-3E00-00000000F001}3496C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012620Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:26.744{5ADF971D-28FE-6137-0D00-00000000F001}8883924C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-3300-00000000F001}3120C:\Windows\System32\vds.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012619Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:26.744{5ADF971D-28FE-6137-0D00-00000000F001}8883924C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2F00-00000000F001}3064C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012618Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:26.744{5ADF971D-28FE-6137-0D00-00000000F001}8883924C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2700-00000000F001}2904C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012617Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:26.744{5ADF971D-28FE-6137-0D00-00000000F001}8883924C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-3100-00000000F001}2500C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012616Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:26.744{5ADF971D-28FE-6137-0D00-00000000F001}8883924C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012615Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:26.744{5ADF971D-28FE-6137-0D00-00000000F001}8883924C:\Windows\system32\svchost.exe{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012614Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:26.744{5ADF971D-28FE-6137-0D00-00000000F001}8883924C:\Windows\system32\svchost.exe{5ADF971D-28FE-6137-1400-00000000F001}1176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012613Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:26.744{5ADF971D-28FE-6137-0D00-00000000F001}8883924C:\Windows\system32\svchost.exe{5ADF971D-28FE-6137-1500-00000000F001}1196C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012612Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:26.744{5ADF971D-28FE-6137-0D00-00000000F001}8883924C:\Windows\system32\svchost.exe{5ADF971D-28FE-6137-0E00-00000000F001}988C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012611Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:26.744{5ADF971D-28FE-6137-0D00-00000000F001}8883924C:\Windows\system32\svchost.exe{5ADF971D-28FE-6137-1600-00000000F001}1232C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012610Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:26.744{5ADF971D-28FE-6137-0D00-00000000F001}8883924C:\Windows\system32\svchost.exe{5ADF971D-28FE-6137-0E00-00000000F001}988C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012609Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:26.744{5ADF971D-28FE-6137-0D00-00000000F001}8883924C:\Windows\system32\svchost.exe{5ADF971D-28FE-6137-1300-00000000F001}872C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012608Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:26.744{5ADF971D-28FE-6137-0D00-00000000F001}8883924C:\Windows\system32\svchost.exe{5ADF971D-28FE-6137-1600-00000000F001}1232C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012607Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:26.744{5ADF971D-28FE-6137-0D00-00000000F001}8883924C:\Windows\system32\svchost.exe{5ADF971D-28FE-6137-0E00-00000000F001}988C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012606Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:26.744{5ADF971D-28FE-6137-0D00-00000000F001}8883924C:\Windows\system32\svchost.exe{5ADF971D-28FE-6137-1200-00000000F001}764C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012605Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:26.744{5ADF971D-28FE-6137-0D00-00000000F001}8883924C:\Windows\system32\svchost.exe{5ADF971D-28FE-6137-0F00-00000000F001}304C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012604Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:26.744{5ADF971D-28FE-6137-0D00-00000000F001}8883924C:\Windows\system32\svchost.exe{5ADF971D-28FD-6137-0C00-00000000F001}832C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000012603Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:26.150{5ADF971D-28FE-6137-1000-00000000F001}372NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=B799AACA4D8125E00C28298CF36E2FCC,SHA256=5450EE6E57C7E2CEC7EF76A36EB31670E1BAFB353D0F88D4BA50657A4EF9D62B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012602Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:26.119{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FA02E4195936F47CAB268B1002381B2,SHA256=3D753A055295FBADD8456F83992964161C3E20CC9B299F84EE0B1EEA8FBAAEEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012623Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:27.135{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA75DC3A9815BAF2D59CD252E282937D,SHA256=DAEF8E2BAFA85E597816A6D03B151B3F57FB200FA88C56754AB70405217FCC01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012624Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:28.150{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13E72255079FC1E0619FE09037B2D758,SHA256=56CA152534DEAA555392A71D25CA3302D8C4D43F52CD2EE4C9F5B49535D2704B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000012629Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:28.770{5ADF971D-28FC-6137-0B00-00000000F001}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49360-false10.0.1.14win-dc-228.attackrange.local49666- 354300x800000000000000012628Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:28.762{5ADF971D-28FE-6137-0D00-00000000F001}888C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal49359-false10.0.1.14win-dc-228.attackrange.local135epmap 23542300x800000000000000012627Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:29.462{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2707EE9D605C295D98DEABA0B6C89C36,SHA256=CD832BD8D13B1215D9EC2C941B57F7367C09D9900B2BA279713D1B5B6343750B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012626Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:29.462{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E4FD8F6F74CC02585FDEBF791AE63F7C,SHA256=817348C07E4BE35A18F42543009CB3727EA4ABA3F5DC8D230AF60E2AC8F227FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012625Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:29.150{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7A7293ED3EA77AB9751A9D64C22097A,SHA256=2DDACE133E879712E009832C0686721D8236272A4DBCE4CC4D712B6A38862EB9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000012631Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:29.482{5ADF971D-2918-6137-6D00-00000000F001}4080C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60450-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000012630Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:30.150{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2503AA23E1D40FC8C2D8DCBDCB75150A,SHA256=406F20790CA693F716A00E6DD05826CAB7AC11A2D818545BDA9C81F2A0FF8CE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012632Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:31.150{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1EF96CD3657525AEECF7B22BE5641CA,SHA256=50B195237401C2F5343868A5D2B50DA8B904334126BE5162F036497B5EB83420,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012633Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:32.165{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF3816A831EE6B700ED303A38C064E74,SHA256=3C66511545C9B871DEA6D2752274B3232B97A23E2BED6C58D1159F077BA5E6DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012635Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:33.352{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2707EE9D605C295D98DEABA0B6C89C36,SHA256=CD832BD8D13B1215D9EC2C941B57F7367C09D9900B2BA279713D1B5B6343750B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012634Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:33.180{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=758434AD0046502B5D90AC2450852329,SHA256=CA2DC26FD4CB88FEA03C094AC98AEF5A6FB2E644BAF980638A275E9A6495305D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012636Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:34.196{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04FF76F488652D08CE05820726A83D61,SHA256=AC8C016C8C8B4F00751CBEBA33A7FA54B2D59CF2E542D0E487087478BBA550CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012637Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:35.196{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4122431681B491CE6D85E4ECC6CFC10E,SHA256=60EC20BCB6B7B7A398DF9AD961028C95842BB089C2706D3A32D7EF742F2A432F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000012639Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:35.498{5ADF971D-2918-6137-6D00-00000000F001}4080C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60451-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000012638Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:36.211{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F99B455702542E39375E62BC54C9781,SHA256=A8574F375C62DA99EF9ECEF6321033DD378A1320FC1E388B76BE16BBC4D2FB56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012640Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:37.214{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FE61E96567D94B79E2155A054CD5027,SHA256=069D4679AC26C7430F1530D7EDF9798DE4D9C8BE76CE96CE9557B441C9A44325,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012641Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:38.229{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63AC506E31EFFFD97817BC60A08C28BA,SHA256=2B5F26236DB90F8317E259CE16493D2604C18ADE5A5ADCDD8A60F92CEFD92045,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000012643Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-09-07 09:03:39.885{5ADF971D-28FE-6137-1100-00000000F001}380C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7a3c7-0x4008d7ef) 23542300x800000000000000012642Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:39.245{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F21A776EB512C4AC7AFBEEDA57511B0,SHA256=584E0B04862B767CAC3CC575D1B7B3659408066A313F46D472CFCAE2AE451AB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012644Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:40.260{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93E356BF351851BA1C14424DD7DF0869,SHA256=BBCB89119369D5C178801203BFB85DEC2192ABD479B6F9B03F40595D87CBD926,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012645Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:41.260{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44691649307F25ACAB4CDBC4D7483C51,SHA256=F3988111FDFE3A339C49F6798AE13FB503A87841A9B72578B03E9753767C1CA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012646Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:42.276{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC13B8B350D9AA2A2B915A4424F80210,SHA256=43DD354108ACBACE6067DABAFD53B080FA164EC3824F9C73DD49C416B7C00060,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012648Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:43.275{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2678AE0C22471C2DB3EE3DE5B8D7BD0,SHA256=71623E8E4DE2DBE4531162F4EB20F06FA8DE92726FBB6F84DE1CB9F160DF99EC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000012647Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:41.470{5ADF971D-2918-6137-6D00-00000000F001}4080C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60452-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000012649Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:44.275{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F55B3E0DAAFF22A321E331F97DC503F,SHA256=B6CF2E113D03B0AA40C093FE29D458A529D1237A1FBC48546413666A23C08E13,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000012652Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:45.463{5ADF971D-28FE-6137-0D00-00000000F001}8883924C:\Windows\system32\svchost.exe{5ADF971D-28FE-6137-1200-00000000F001}764C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000012651Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:45.291{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FC557B04699719FD3D9F24D7F3A587B,SHA256=0A1FEF7DF155378271A68BFAEA4959E6A6799FE89042BD1FD98FF9EB01ECC4D7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000012650Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:43.803{5ADF971D-290E-6137-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-228.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal59833- 23542300x800000000000000012653Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:46.291{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18BA8A2EB8E961B12DC33A75ACB7BB2D,SHA256=6E57F253941898AA664DCA19572A66C45126BED3AE7A859E319A47854D48474F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012656Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:47.447{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2FEE3B44C92ABB295DB81EEBEADE97ED,SHA256=070F00D817CD59F07E6CA5655874DEAFEFF0D8E680685E50559B4E8AD2F0728F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012655Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:47.447{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DCBE92C2C55AEA943D55E065B5F70961,SHA256=10E60592434CF98F78EBE72A44B9B6CCF875190D295FA75C3B7895FF01A33EB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012654Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:47.306{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1101CD4EB143BBE5526677E69C2C159A,SHA256=591D4359412CF1B03026CCDC14E256E55F55E6C0A784C39379F20217DB509713,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012657Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:48.321{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEA244828036151EF5A7D06D60FD0F8A,SHA256=23AB53E9E1ADF75A6A81ACC4B66EBBFF456F303893B378496B7C602A368411FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012659Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:49.337{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AC2B13751B00C0F7DA87D3F9D649100,SHA256=260465E704D3F369E987E6008BDAAB5A416E9AD3497DEC18DBDBFA65BFAF7C31,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000012658Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:47.485{5ADF971D-2918-6137-6D00-00000000F001}4080C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60453-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000012660Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:50.352{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B1E74B13245E2D03739269AC683A3A6,SHA256=C703AB3F94BB9253886189D24F7FC51CD5E8B09C23042139B1147E7233D0AD8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012661Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:51.352{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4A19046689114D566CCCB0F0563CA65,SHA256=9CD810C45D061820754BE7079F4E5C7D16C2A4B5B7A2A192F94EF846025C642D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012662Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:52.368{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35B0309089753032C50F8B77AF397DC0,SHA256=B6AE24D1EF6B8EC503905950AE942D9BAEFED928CFD3F006F47A75D18B47FE81,IMPHASH=00000000000000000000000000000000falsetrue 16341600x80000000000000001Microsoft-Windows-Sysmon/Operationalwin-host-724.attackrange.local2021-09-07 09:03:53.751c:\Program Files\ansible\AttackRangeSysmon.xmlSHA256=75358E8028A9D2A1CC1782C71200ED0E529269E98BDC3389937C592CA9D2EB8F 10341000x800000000000000012676Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:53.789{5ADF971D-290F-6137-3700-00000000F001}33603380C:\Windows\system32\conhost.exe{5ADF971D-2AF9-6137-CB00-00000000F001}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012675Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:53.789{5ADF971D-28FD-6137-0C00-00000000F001}832940C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012674Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:53.789{5ADF971D-28FD-6137-0C00-00000000F001}832940C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012673Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:53.789{5ADF971D-28FD-6137-0C00-00000000F001}832940C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012672Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:53.789{5ADF971D-28FD-6137-0C00-00000000F001}832940C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012671Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:53.789{5ADF971D-28FD-6137-0C00-00000000F001}832940C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012670Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:53.789{5ADF971D-28FD-6137-0C00-00000000F001}832940C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012669Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:53.789{5ADF971D-28FD-6137-0C00-00000000F001}832940C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012668Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:53.789{5ADF971D-28FD-6137-0C00-00000000F001}832940C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012667Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:53.789{5ADF971D-28FD-6137-0C00-00000000F001}832940C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012666Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:53.789{5ADF971D-28FB-6137-0500-00000000F001}408404C:\Windows\system32\csrss.exe{5ADF971D-2AF9-6137-CB00-00000000F001}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000012665Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:53.789{5ADF971D-290E-6137-2C00-00000000F001}29804040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ADF971D-2AF9-6137-CB00-00000000F001}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000012664Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:53.790{5ADF971D-2AF9-6137-CB00-00000000F001}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ADF971D-28FC-6137-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5ADF971D-290E-6137-2C00-00000000F001}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000012663Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:53.383{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85F46D47981AC486867F3F8252217CB9,SHA256=EC13FE4FB6BD1C0242CD705A79DB615284A9A6E7E38301D890F0296703E5F0A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037Microsoft-Windows-Sysmon/Operationalwin-host-724.attackrange.local-2021-09-07 09:03:54.735{634249FB-2A89-6137-1300-00000000F001}368NT AUTHORITY\SYSTEMC:\Windows\System32\svchost.exeC:\Windows\Temp\UDDC33E.tmpMD5=70A7F288076DBDA3DA7AB38415580147,SHA256=E074F2AD824A09400E6B5C6DC2F504C01FC60B5BE37CD6361DE822B3C4F18BFB,IMPHASH=7B97B04EFDCA82C2A6B5C04289FC3892truetrue 23542300x800000000000000036Microsoft-Windows-Sysmon/Operationalwin-host-724.attackrange.local-2021-09-07 09:03:54.735{634249FB-2A89-6137-1300-00000000F001}368NT AUTHORITY\SYSTEMC:\Windows\System32\svchost.exeC:\Windows\Temp\UDDC33E.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035Microsoft-Windows-Sysmon/Operationalwin-host-724.attackrange.local-2021-09-07 09:03:54.689{634249FB-2A89-6137-1500-00000000F001}1081156C:\Windows\system32\svchost.exe{634249FB-2AF9-6137-9D02-00000000F001}3328C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034Microsoft-Windows-Sysmon/Operationalwin-host-724.attackrange.local-2021-09-07 09:03:54.673{634249FB-2A89-6137-0C00-00000000F001}736772C:\Windows\system32\svchost.exe{634249FB-2AF9-6137-9D02-00000000F001}3328C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033Microsoft-Windows-Sysmon/Operationalwin-host-724.attackrange.local-2021-09-07 09:03:54.673{634249FB-2A89-6137-0C00-00000000F001}736772C:\Windows\system32\svchost.exe{634249FB-2AF9-6137-9D02-00000000F001}3328C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032Microsoft-Windows-Sysmon/Operationalwin-host-724.attackrange.local-2021-09-07 09:03:54.673{634249FB-2A89-6137-0C00-00000000F001}736772C:\Windows\system32\svchost.exe{634249FB-2AF9-6137-9D02-00000000F001}3328C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031Microsoft-Windows-Sysmon/Operationalwin-host-724.attackrange.local-2021-09-07 09:03:54.673{634249FB-2A89-6137-0C00-00000000F001}736772C:\Windows\system32\svchost.exe{634249FB-2AF9-6137-9D02-00000000F001}3328C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030Microsoft-Windows-Sysmon/Operationalwin-host-724.attackrange.local-2021-09-07 09:03:54.673{634249FB-2A89-6137-0C00-00000000F001}736772C:\Windows\system32\svchost.exe{634249FB-2AF9-6137-9D02-00000000F001}3328C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029Microsoft-Windows-Sysmon/Operationalwin-host-724.attackrange.local-2021-09-07 09:03:54.673{634249FB-2A89-6137-0C00-00000000F001}736772C:\Windows\system32\svchost.exe{634249FB-2AF9-6137-9D02-00000000F001}3328C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028Microsoft-Windows-Sysmon/Operationalwin-host-724.attackrange.local-2021-09-07 09:03:54.673{634249FB-2A89-6137-0C00-00000000F001}736772C:\Windows\system32\svchost.exe{634249FB-2AF9-6137-9D02-00000000F001}3328C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027Microsoft-Windows-Sysmon/Operationalwin-host-724.attackrange.local-2021-09-07 09:03:54.673{634249FB-2A89-6137-0C00-00000000F001}736772C:\Windows\system32\svchost.exe{634249FB-2AF9-6137-9D02-00000000F001}3328C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026Microsoft-Windows-Sysmon/Operationalwin-host-724.attackrange.local-2021-09-07 09:03:54.673{634249FB-2A89-6137-0C00-00000000F001}736772C:\Windows\system32\svchost.exe{634249FB-2AF9-6137-9D02-00000000F001}3328C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025Microsoft-Windows-Sysmon/Operationalwin-host-724.attackrange.local-2021-09-07 09:03:54.657{634249FB-2A89-6137-0B00-00000000F001}628708C:\Windows\system32\lsass.exe{634249FB-2AF9-6137-9D02-00000000F001}3328C:\Windows\sysmon64.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024Microsoft-Windows-Sysmon/Operationalwin-host-724.attackrange.local-2021-09-07 09:03:54.657{634249FB-2A89-6137-0B00-00000000F001}628708C:\Windows\system32\lsass.exe{634249FB-2AF9-6137-9D02-00000000F001}3328C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023Microsoft-Windows-Sysmon/Operationalwin-host-724.attackrange.local-2021-09-07 09:03:54.657{634249FB-2A89-6137-0C00-00000000F001}736772C:\Windows\system32\svchost.exe{634249FB-2AF9-6137-9D02-00000000F001}3328C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022Microsoft-Windows-Sysmon/Operationalwin-host-724.attackrange.local-2021-09-07 09:03:54.657{634249FB-2A89-6137-0C00-00000000F001}736772C:\Windows\system32\svchost.exe{634249FB-2AF9-6137-9D02-00000000F001}3328C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021Microsoft-Windows-Sysmon/Operationalwin-host-724.attackrange.local-2021-09-07 09:03:54.657{634249FB-2A89-6137-0C00-00000000F001}736772C:\Windows\system32\svchost.exe{634249FB-2AF9-6137-9D02-00000000F001}3328C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020Microsoft-Windows-Sysmon/Operationalwin-host-724.attackrange.local-2021-09-07 09:03:54.657{634249FB-2A89-6137-0C00-00000000F001}736772C:\Windows\system32\svchost.exe{634249FB-2AF9-6137-9D02-00000000F001}3328C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019Microsoft-Windows-Sysmon/Operationalwin-host-724.attackrange.local-2021-09-07 09:03:54.657{634249FB-2A89-6137-0C00-00000000F001}736772C:\Windows\system32\svchost.exe{634249FB-2AF9-6137-9D02-00000000F001}3328C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018Microsoft-Windows-Sysmon/Operationalwin-host-724.attackrange.local-2021-09-07 09:03:54.657{634249FB-2A89-6137-0C00-00000000F001}736772C:\Windows\system32\svchost.exe{634249FB-2AF9-6137-9D02-00000000F001}3328C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017Microsoft-Windows-Sysmon/Operationalwin-host-724.attackrange.local-2021-09-07 09:03:54.657{634249FB-2A89-6137-0C00-00000000F001}736772C:\Windows\system32\svchost.exe{634249FB-2AF9-6137-9D02-00000000F001}3328C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000016Microsoft-Windows-Sysmon/Operationalwin-host-724.attackrange.local-2021-09-07 09:03:54.657{634249FB-2A89-6137-0C00-00000000F001}736772C:\Windows\system32\svchost.exe{634249FB-2AF9-6137-9D02-00000000F001}3328C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015Microsoft-Windows-Sysmon/Operationalwin-host-724.attackrange.local-2021-09-07 09:03:54.657{634249FB-2A89-6137-0C00-00000000F001}736772C:\Windows\system32\svchost.exe{634249FB-2AF9-6137-9D02-00000000F001}3328C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014Microsoft-Windows-Sysmon/Operationalwin-host-724.attackrange.local-2021-09-07 09:03:54.642{634249FB-2A89-6137-0C00-00000000F001}736772C:\Windows\system32\svchost.exe{634249FB-2AF9-6137-9D02-00000000F001}3328C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000013Microsoft-Windows-Sysmon/Operationalwin-host-724.attackrange.local-2021-09-07 09:03:54.642{634249FB-2A89-6137-0C00-00000000F001}736772C:\Windows\system32\svchost.exe{634249FB-2AF9-6137-9D02-00000000F001}3328C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012Microsoft-Windows-Sysmon/Operationalwin-host-724.attackrange.local-2021-09-07 09:03:54.642{634249FB-2A89-6137-0C00-00000000F001}736772C:\Windows\system32\svchost.exe{634249FB-2AF9-6137-9D02-00000000F001}3328C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000011Microsoft-Windows-Sysmon/Operationalwin-host-724.attackrange.local-2021-09-07 09:03:54.626{634249FB-2A89-6137-0C00-00000000F001}736772C:\Windows\system32\svchost.exe{634249FB-2AFA-6137-9E02-00000000F001}2508C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000010Microsoft-Windows-Sysmon/Operationalwin-host-724.attackrange.local-2021-09-07 09:03:54.610{634249FB-2A88-6137-0500-00000000F001}412572C:\Windows\system32\csrss.exe{634249FB-2AFA-6137-9E02-00000000F001}2508C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000009Microsoft-Windows-Sysmon/Operationalwin-host-724.attackrange.local-2021-09-07 09:03:54.610{634249FB-2A89-6137-0C00-00000000F001}736772C:\Windows\system32\svchost.exe{634249FB-2AFA-6137-9E02-00000000F001}2508C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000008Microsoft-Windows-Sysmon/Operationalwin-host-724.attackrange.local-2021-09-07 09:03:54.615{634249FB-2AFA-6137-9E02-00000000F001}2508C:\Windows\System32\wbem\unsecapp.exe10.0.14393.4169 (rs1_release.210107-1130)Sink to receive asynchronous callbacks for WMI client applicationMicrosoft® Windows® Operating SystemMicrosoft Corporationunsecapp.dllC:\Windows\system32\wbem\unsecapp.exe -EmbeddingC:\Windows\system32\NT AUTHORITY\SYSTEM{634249FB-2A89-6137-E703-000000000000}0x3e70SystemMD5=2443CA5962E2134CB389DCD5056D27AE,SHA256=018FF62BCDC292CF9290DB0574C8EF9C97EBC26933C8FC950DD8E6B2B91972FB,IMPHASH=A3CC49DF67C2278F822C9EBB9908BF09{634249FB-2A89-6137-0C00-00000000F001}736C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000007Microsoft-Windows-Sysmon/Operationalwin-host-724.attackrange.local-2021-09-07 09:03:54.548{634249FB-2A89-6137-0C00-00000000F001}736772C:\Windows\system32\svchost.exe{634249FB-2AF9-6137-9D02-00000000F001}3328C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006Microsoft-Windows-Sysmon/Operationalwin-host-724.attackrange.local-2021-09-07 09:03:54.548{634249FB-2A89-6137-0A00-00000000F001}6201132C:\Windows\system32\services.exe{634249FB-2AF9-6137-9D02-00000000F001}3328C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005Microsoft-Windows-Sysmon/Operationalwin-host-724.attackrange.local-2021-09-07 09:03:53.782{634249FB-2A88-6137-0500-00000000F001}412572C:\Windows\system32\csrss.exe{634249FB-2AF9-6137-9D02-00000000F001}3328C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000004Microsoft-Windows-Sysmon/Operationalwin-host-724.attackrange.local-2021-09-07 09:03:53.782{634249FB-2A89-6137-0A00-00000000F001}620976C:\Windows\system32\services.exe{634249FB-2AF9-6137-9D02-00000000F001}3328C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\services.exe+3332|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000003Microsoft-Windows-Sysmon/Operationalwin-host-724.attackrange.local-2021-09-07 09:03:53.763{634249FB-2AF9-6137-9D02-00000000F001}3328C:\Windows\sysmon64.exe13.01System activity monitorSysinternals SysmonSysinternals - www.sysinternals.com-C:\Windows\sysmon64.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{634249FB-2A89-6137-E703-000000000000}0x3e70SystemMD5=8A914CFB7496B8461285C009DD8F5627,SHA256=422EC998FED690C2EC3239A4BB80075F098A9A95CBDFFBC873365B9F7136A02A,IMPHASH=DCF866F4139DD7FF6C0A5D4FA050CD7A{634249FB-2A89-6137-0A00-00000000F001}620C:\Windows\System32\services.exeC:\Windows\system32\services.exe 434400x80000000000000002Microsoft-Windows-Sysmon/Operationalwin-host-724.attackrange.local2021-09-07 09:03:54.642Started13.014.50 10341000x800000000000000012694Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:54.904{5ADF971D-2AFA-6137-CC00-00000000F001}8483836C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5ADF971D-290E-6137-2C00-00000000F001}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000012693Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:54.897{5ADF971D-290E-6137-2D00-00000000F001}3020NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0073eacd0895a4f95\channels\health\respondent-20210907085544-007MD5=3A908804D0573FF7380F514264884FB3,SHA256=C81D2F048F52EDBC4290754297EEBE81A82636336939823758E35E4C6AD1E005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012692Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:54.816{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2620FFE78183E4B374EA6B8F73309956,SHA256=DD9F86838B05A40C2C128523D21E1E2CEAF762E379BA5FA92E3FCD08C4690C11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000012691Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:54.816{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2FEE3B44C92ABB295DB81EEBEADE97ED,SHA256=070F00D817CD59F07E6CA5655874DEAFEFF0D8E680685E50559B4E8AD2F0728F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000012690Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:54.754{5ADF971D-290F-6137-3700-00000000F001}33603380C:\Windows\system32\conhost.exe{5ADF971D-2AFA-6137-CC00-00000000F001}848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012689Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:54.754{5ADF971D-28FD-6137-0C00-00000000F001}832940C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012688Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:54.754{5ADF971D-28FD-6137-0C00-00000000F001}832940C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012687Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:54.754{5ADF971D-28FD-6137-0C00-00000000F001}832940C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012686Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:54.754{5ADF971D-28FD-6137-0C00-00000000F001}832940C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012685Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:54.754{5ADF971D-28FD-6137-0C00-00000000F001}832940C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012684Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:54.754{5ADF971D-28FD-6137-0C00-00000000F001}832940C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012683Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:54.754{5ADF971D-28FD-6137-0C00-00000000F001}832940C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012682Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:54.754{5ADF971D-28FD-6137-0C00-00000000F001}832940C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012681Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:54.754{5ADF971D-28FD-6137-0C00-00000000F001}832940C:\Windows\system32\svchost.exe{5ADF971D-290E-6137-2900-00000000F001}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012680Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:54.754{5ADF971D-28FB-6137-0500-00000000F001}408424C:\Windows\system32\csrss.exe{5ADF971D-2AFA-6137-CC00-00000000F001}848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000012679Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:54.754{5ADF971D-290E-6137-2C00-00000000F001}29804040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ADF971D-2AFA-6137-CC00-00000000F001}848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000012678Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:54.755{5ADF971D-2AFA-6137-CC00-00000000F001}848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ADF971D-28FC-6137-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5ADF971D-290E-6137-2C00-00000000F001}2980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000012677Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-09-07 09:03:54.390{5ADF971D-2920-6137-7600-00000000F001}1396NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76A3D61D9DA3126C9B675EB138C83A6F,SHA256=4479A8020170690129A0C0D96956B00EEE8F04B9C0F70A93068ECDCC0D9BC9D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000064Microsoft-Windows-Sysmon/Operationalwin-host-724.attackrange.local-2021-09-07 09:03:55.986{634249FB-2AFB-6137-A002-00000000F001}38643476C:\Windows\system32\conhost.exe{634249FB-2AFB-6137-9F02-00000000F001}2540C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000063Microsoft-Windows-Sysmon/Operationalwin-host-724.attackrange.local-2021-09-07 09:03:55.939{634249FB-2A88-6137-0500-00000000F001}412572C:\Windows\system32\csrss.exe{634249FB-2AFB-6137-A002-00000000F001}3864C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000062Microsoft-Windows-Sysmon/Operationalwin-host-724.attackrange.local-2021-09-07 09:03:55.939{634249FB-2A89-6137-0C00-00000000F001}736772C:\Windows\system32\svchost.exe{634249FB-2AF9-6137-9D02-00000000F001}3328C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061Microsoft-Windows-Sysmon/Operationalwin-host-724.attackrange.local-2021-09-07 09:03:55.939{634249FB-2A89-6137-0C00-00000000F001}736772C:\Windows\system32\svchost.exe{634249FB-2AF9-6137-9D02-00000000F001}3328C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060Microsoft-Windows-Sysmon/Operationalwin-host-724.attackrange.local-2021-09-07 09:03:55.939{634249FB-2A89-6137-0C00-00000000F001}736772C:\Windows\system32\svchost.exe{634249FB-2AF9-6137-9D02-00000000F001}3328C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059Microsoft-Windows-Sysmon/Operationalwin-host-724.attackrange.local-2021-09-07 09:03:55.939{634249FB-2A89-6137-0C00-00000000F001}736772C:\Windows\system32\svchost.exe{634249FB-2AF9-6137-9D02-00000000F001}3328C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058Microsoft-Windows-Sysmon/Operationalwin-host-724.attackrange.local-2021-09-07 09:03:55.939{634249FB-2A89-6137-0C00-00000000F001}736772C:\Windows\system32\svchost.exe{634249FB-2AF9-6137-9D02-00000000F001}3328C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057Microsoft-Windows-Sysmon/Operationalwin-host-724.attackrange.local-2021-09-07 09:03:55.939{634249FB-2A89-6137-0C00-00000000F001}736772C:\Windows\system32\svchost.exe{634249FB-2AF9-6137-9D02-00000000F001}3328C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056Microsoft-Windows-Sysmon/Operationalwin-host-724.attackrange.local-2021-09-07 09:03:55.939{634249FB-2A89-6137-0C00-00000000F001}736772C:\Windows\system32\svchost.exe{634249FB-2AF9-6137-9D02-00000000F001}3328C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055Microsoft-Windows-Sysmon/Operationalwin-host-724.attackrange.local-2021-09-07 09:03:55.939{634249FB-2A89-6137-0C00-00000000F001}736848C:\Windows\system32\svchost.exe{634249FB-2AF9-6137-9D02-00000000F001}3328C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054Microsoft-Windows-Sysmon/Operationalwin-host-724.attackrange.local-2021-09-07 09:03:55.939{634249FB-2A89-6137-0C00-00000000F001}736848C:\Windows\system32\svchost.exe{634249FB-2AF9-6137-9D02-00000000F001}3328C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000053Microsoft-Windows-Sysmon/Operationalwin-host-724.attackrange.local-2021-09-07 09:03:55.939{634249FB-2A88-6137-0500-00000000F001}412428C:\Windows\system32\csrss.exe{634249FB-2AFB-6137-9F02-00000000F001}2540C:\Windows\system32\WinrsHost.exe0x1fffff