23542300x800000000000000032986Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:17.795{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78CBFE00ACFCB22C3023134898599C03,SHA256=651E8959FC7CB136E3C64DE8718036FE0809779A2B780E8FF9D79913125DFC60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032985Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:17.795{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A52450EADD915292A0BBA3FD77B60FFD,SHA256=6B4F9F639120403F92F09371AC082D95E0CE0CA4159FA1EE953446D62CC27856,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032984Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:17.764{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C2C19923EB10687C1CF91C2C6ED83F8,SHA256=1902F9F50C39F5F7BF2EB2A9046EF3EE1D47548D8DF159C7B4A9EB48AF36F304,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017130Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:17.084{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8E0068B5DD0438368343C7CF61E4740,SHA256=794F35923F2DE08EBA3CD4B2EC4B5054DF3CB1B0F2D806D6BFB6A07E06E090FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032989Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:18.780{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78EC22AE247D59B068B36437090CF034,SHA256=576D4A6092D941905D26BE00EEA0A07A38A74EDB97A168DE6B15133E2E853233,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017131Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:18.099{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D675A86918F98222CC44A018E9C55FB,SHA256=F30ECB111D71100C9F2A1D0873A22635BD7E8EA0030445DED01153D82E9F7A44,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032988Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:16.377{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local52304-true0:0:0:0:0:0:0:1win-dc-676.attackrange.local389ldap 354300x800000000000000032987Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:16.377{6EDEAD03-FC2A-615B-2900-00000000FB01}2912C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local52304-true0:0:0:0:0:0:0:1win-dc-676.attackrange.local389ldap 23542300x800000000000000032991Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:19.977{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=116A690F08E422DCDE975A34A99F85A4,SHA256=7ADFE67F38F9A8BB92FB1594BCD584948915E66FB522C8DD533B52317D306E64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017132Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:19.334{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8E7E67930BEA9BC621C3DD60678CE02,SHA256=9E9460FDAB09103AF53856367E777732F39D2A7A8701A4882F38ABF85278633D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032990Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:16.720{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52305-false10.0.1.12-8000- 23542300x800000000000000032992Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:20.992{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFDC3BF280D261394028862482DD16AB,SHA256=4BD1347B8557C952DAD3C823C8CF19FDBBCDEA1C5E01F452EFD6A5354A5465F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017134Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:20.524{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92E85BB0913B387B981ECEAA3D520A33,SHA256=649221AF0AEC99A90D871B353187F50353A025703270C76E8A8ED9F79E3D1C6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017133Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:20.287{49C67628-FDEC-615B-1F00-00000000FC01}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04b3958ebc31dc11b\channels\health\respondent-20211005072534-069MD5=9DBD3CF651CAD1963D7DD9E70795396E,SHA256=D00FE5240C0E39CC33FD8ADFFDA13197E8833401D0A3D05F731F6A79B8E00229,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032993Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:21.992{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=297B0D5C59F5C7ED9781EFAFB812DF0D,SHA256=C978C2B5933DAB382AFE21BEFFBB5930F356985E7D6854CE27B01E330C571744,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017137Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:19.082{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50551-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017136Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:21.538{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A39F548C6C8DFB372A758B221A60898,SHA256=89B2D0D5C94BA45DD6811175D27A67C55D29825D7F8F96A6B65A7B609B148BEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017135Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:21.291{49C67628-FDEC-615B-1F00-00000000FC01}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04b3958ebc31dc11b\channels\health\surveyor-20211005072532-070MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017138Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:22.541{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=568C5D08B518E52AF1027814D7F106F8,SHA256=1C003A33A38A6E08B01B312BD8A5CFD16F30F943ABAABE414ED875CB2062561A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017139Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:23.556{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07C3DFF9CCC7AD02EC6DA1040BDDDAB3,SHA256=255F7957150E1EDA3077EAEFA4CD7097B1007F9513C88330F53AEC4F26977921,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032994Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:23.008{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C3C2F205E78317976F342C38234F113,SHA256=947581B8CD1C6DFA40A0A63CC924EE39EB8C314EC41E29CA91E127A007177D91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017140Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:24.556{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=840B4B48CDEB0F5F3CD901A4F401BD83,SHA256=327D26D87809DAAAE971BF2C1ADF35EE5D883DDA3645A7547C06C65FE720C955,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032996Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:22.698{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52306-false10.0.1.12-8000- 23542300x800000000000000032995Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:24.039{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA2CF28FDB57A3B6866AD37B75250495,SHA256=D8C91688E0F398FBDBE7E8C0C8FD1B983E050EA53CDFE9F535F7EBCC38095F1B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017142Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:24.148{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50552-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017141Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:25.572{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7563C7687CF9CB3384649458B5B58863,SHA256=57EACAD2D256C16BCF8CBDAAC4124178EBA62468216EA516EBFC1C20A42846CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032997Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:25.258{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECC4413A3906B472D0779068BDB620CA,SHA256=5AC53D0FBB9FE324293A648C6C708E5B6A2E16F06A4D9AC8FB704094EAF09E93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017143Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:26.791{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=496593290C8088A21555D3E01256399F,SHA256=E6EC07C5BD8E9D940837A991C1DCD7314EF9E99E713B07CF9EF232A6D50144D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032998Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:26.273{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4EA7BCE98A14A1BF2778A4C1D8FFA76,SHA256=838779BB2E057FEB391ADF6FCC550D445B015E994761F89BA054A30A42072672,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032999Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:27.273{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=520D48387A5951542731DCFC2FECC934,SHA256=F71B4C98F31E2E1EC719606F9CD4F1D60B70677EE3E2B522F09FB41F92E7F405,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033000Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:28.273{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96816C9557372619793D61714C7D82EA,SHA256=0291B434B64D77CD9500EBE1027D849C314841816264579E56158FA15EBBD011,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017144Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:28.009{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB33470DFF07AF9A01C82CD8EE104D4F,SHA256=102B9B3977BA9804EB0C9B4655984F72260178A36A2B4EBB79ABF0FDA4B7774F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017145Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:29.197{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1AD7E13D1EB42A88F1B068304E30EF8,SHA256=145C329E65A22DFB8A8DF67D0ECE7EA107DC4CFD6C9A1AC597FC36CA9B43C93F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033001Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:29.289{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E24EAFB8F315154A0993014C9BBDA5BC,SHA256=E88EBFAAEBE9F6ACBF05945ABB2D0F2DF338C63E827FA3BBCADBA2E21C8C0F36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017146Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:30.212{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10076161631277DD302A01FEA622C2DA,SHA256=A82E5F2577BDE27725F9CE84B7C83A7E1EF777DF4C4B26F41E20B1E11132AF24,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033003Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:28.714{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52307-false10.0.1.12-8000- 23542300x800000000000000033002Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:30.305{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6EA5E0D8A145E825CA0E7166519AAB6,SHA256=0251CC9AEACC12B36DE5BA6AC57ADCE05F27926A6BC664E920B47A13CE49AE3E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017148Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:30.164{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50553-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017147Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:31.212{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=872CEE1A81F8E27D55D06A623FE02DE6,SHA256=890495515FA1348F72DB5DBE048CCADDBA9118A8B7262E0EFEA8177C9AE3FE42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033004Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:31.320{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=244F77093069A779A42234361DBACEA0,SHA256=1AD8EFAA72A6195DEF67B036C8B0C47CF631A95BF7569EBB369E9E7FADD9EDC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017150Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:32.556{49C67628-FDEB-615B-1100-00000000FC01}964NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=85C1687DCABB01320BAE54AECC7BFAE7,SHA256=E2E55651332DC945E617224AD7A72BA063A61B193DC0F0B8551A612BDD861A58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017149Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:32.447{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4AD08CE688AD1F37582E9744251B8F9,SHA256=F3333F0A462F48DC3EA204E936496FFC3413383EE475C2F3FD1C7334B51C3A68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033005Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:32.320{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55AA4D56544C5DEB04F5524368857507,SHA256=B4A206D6AE5EE193DAD99EAC276BB818A9040AC2DF72BB839A024429C4F536E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017151Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:33.650{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D458F0D504BB96B17FA3713E4B70F29,SHA256=6AC26E68B2FC774778E7DF894289BBFB6CFB64D4CD94E1902564964C3FB77671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033006Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:33.336{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A3A763EBE395A4277FBBCA4388E93DC,SHA256=1E13D1AB6870B5FB2DEED29639CDE0C09EE1AD3FD0CBB4F6DDC9A962A419E217,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017155Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:34.697{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-1300-00000000FC01}684C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017154Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:34.697{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-1300-00000000FC01}684C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017153Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:34.697{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-1300-00000000FC01}684C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000017152Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:34.665{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18E09B4684AF76EC0CC351B31F8F39C3,SHA256=D5214E3DA861138498596317B96B9A96419CE6E4A537B702C9AC14F52136F3D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033007Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:34.352{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABCF90D834630F7E23AA955C0D0D81B4,SHA256=25DCFB136D8F807EC317C2D0FE785BD44E1734C123100ECB50C87FD57040D8A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017156Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:35.806{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33BC78501EE518116720219A242AC2AE,SHA256=83E82596AA002429AE08EBE20A77C759A935FB6D6C138858B4959AFE523AC1DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033008Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:35.367{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5345A3176586EE0D16C6DC12E191437,SHA256=8EFA572A16F7AC23604A6BE3C8A11975CD350006EC1B892A5E52B1FDB24C7525,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017157Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:36.962{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71F6091EA9481845573684D903C86EA0,SHA256=AE135EE6E8C89EBFFC5D167F3BA99624E1EDAD1CDFF5AAAFD6B7CEF9B0084C69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033010Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:36.367{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02BC2A504094BB63FBBF205DF6B6D5C3,SHA256=89801FFD5E8110879C1D5060BDC4042B770B17651E6EEB64ED9DD5B251A95D4B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033009Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:33.730{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52308-false10.0.1.12-8000- 23542300x800000000000000033011Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:37.367{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A8461848242715562652950FAABDAAC,SHA256=5CEC310B2189821E066441D1C4671ED5FAD6667A6152391E0F41F43F3B7909ED,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033014Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:36.997{6EDEAD03-FC18-615B-0100-00000000FB01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local52309-truefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local445microsoft-ds 354300x800000000000000033013Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:36.997{6EDEAD03-FC18-615B-0100-00000000FB01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local52309-truefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local445microsoft-ds 23542300x800000000000000033012Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:38.383{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49E92EA04F6001E0BDDBD7ACD76E01BB,SHA256=10E27DC097B5F6F66082AF9F44BB3C1A765499F59416D1B09D5F186EC71CAA10,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017159Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:36.179{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50554-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017158Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:38.181{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A5FFE76A884B6315736BB9CD62E1E57,SHA256=9F5B816E69DBE529B7B71E1350830AB427654A1D3BE430A49DDDFEE1536AF142,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033024Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:39.930{6EDEAD03-FCBF-615B-AF00-00000000FB01}416NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=77A3FAE6E3D081057742F67BE17D48F0,SHA256=B45196262D41012541FDA928C2D6D89C531ACA10A8054FE8E2047913CDE27561,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033023Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:39.430{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-0ED3-615C-B006-00000000FB01}6424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033022Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:39.430{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033021Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:39.430{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033020Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:39.430{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033019Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:39.430{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033018Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:39.430{6EDEAD03-FC1A-615B-0500-00000000FB01}412428C:\Windows\system32\csrss.exe{6EDEAD03-0ED3-615C-B006-00000000FB01}6424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033017Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:39.430{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-0ED3-615C-B006-00000000FB01}6424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033016Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:39.431{6EDEAD03-0ED3-615C-B006-00000000FB01}6424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033015Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:39.383{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=641765F7FF98044B29AAE3A3346F9B73,SHA256=46B7D89F28EEE8DE1196F0D988DEDEC0E761A6D33730225B4C7850A69EEFF908,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017160Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:39.415{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEA576DD1EFF7D6F0BC20F16DE2CF89F,SHA256=DF4BDB08F4E2A407C8353E345DD1AD0C712B82FDC0BFBF005AD7ACDF0C7203CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033044Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:40.742{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-0ED4-615C-B206-00000000FB01}3648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033043Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:40.742{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033042Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:40.742{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033041Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:40.742{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033040Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:40.742{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033039Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:40.742{6EDEAD03-FC1A-615B-0500-00000000FB01}412528C:\Windows\system32\csrss.exe{6EDEAD03-0ED4-615C-B206-00000000FB01}3648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033038Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:40.742{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-0ED4-615C-B206-00000000FB01}3648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033037Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:40.744{6EDEAD03-0ED4-615C-B206-00000000FB01}3648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033036Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:40.445{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2E8EDC03B770CC555C255E0379EC8C65,SHA256=DA5F93B4E0652E20A2A667C956958383EDCB3A135EEF2C2662AD7E46C6045D57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033035Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:40.445{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78CBFE00ACFCB22C3023134898599C03,SHA256=651E8959FC7CB136E3C64DE8718036FE0809779A2B780E8FF9D79913125DFC60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033034Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:40.398{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DEE5CCC848F2A9EBDE9F208A60E1768,SHA256=BD7C8788EE39546FE4BA2F789775D918E61A9FD90E8BEE4C12A093D25B310695,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017161Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:40.581{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C968793D379095B864E338D403F04514,SHA256=D8D903766CC2D0E6B0080F358DECCBD6EC416F1BC4FFF2FD3158F3FE2B7B644F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033033Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:40.258{6EDEAD03-0ED4-615C-B106-00000000FB01}46485184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033032Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:40.101{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-0ED4-615C-B106-00000000FB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033031Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:40.101{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033030Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:40.101{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033029Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:40.101{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033028Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:40.101{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033027Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:40.101{6EDEAD03-FC1A-615B-0500-00000000FB01}412528C:\Windows\system32\csrss.exe{6EDEAD03-0ED4-615C-B106-00000000FB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033026Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:40.101{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-0ED4-615C-B106-00000000FB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033025Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:40.102{6EDEAD03-0ED4-615C-B106-00000000FB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017162Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:41.596{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A93B45C6443A91004459294C02B33C53,SHA256=C5EEC12BF3A241FF2AADADDCC26DF2613A099F674B4087F100037871F56A5992,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033048Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:41.805{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2E8EDC03B770CC555C255E0379EC8C65,SHA256=DA5F93B4E0652E20A2A667C956958383EDCB3A135EEF2C2662AD7E46C6045D57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033047Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:41.398{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52A9C05AA8F0A26D3548EF8DE56236A3,SHA256=99DE918BB2422615CACBF44FDB9E570191F647531FB7158C984BB600E617D3D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033046Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:39.511{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52311-false10.0.1.12-8089- 354300x800000000000000033045Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:38.808{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52310-false10.0.1.12-8000- 13241300x800000000000000017173Microsoft-Windows-Sysmon/Operationalwin-host-340-SetValue2021-10-05 08:37:42.877{49C67628-FDEB-615B-0B00-00000000FC01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000017172Microsoft-Windows-Sysmon/Operationalwin-host-340-SetValue2021-10-05 08:37:42.877{49C67628-FDEB-615B-0B00-00000000FC01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00422440) 13241300x800000000000000017171Microsoft-Windows-Sysmon/Operationalwin-host-340-SetValue2021-10-05 08:37:42.877{49C67628-FDEB-615B-0B00-00000000FC01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b9bb-0xe1466784) 13241300x800000000000000017170Microsoft-Windows-Sysmon/Operationalwin-host-340-SetValue2021-10-05 08:37:42.877{49C67628-FDEB-615B-0B00-00000000FC01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b9c4-0x430acf84) 13241300x800000000000000017169Microsoft-Windows-Sysmon/Operationalwin-host-340-SetValue2021-10-05 08:37:42.877{49C67628-FDEB-615B-0B00-00000000FC01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b9cc-0xa4cf3784) 13241300x800000000000000017168Microsoft-Windows-Sysmon/Operationalwin-host-340-SetValue2021-10-05 08:37:42.877{49C67628-FDEB-615B-0B00-00000000FC01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000017167Microsoft-Windows-Sysmon/Operationalwin-host-340-SetValue2021-10-05 08:37:42.877{49C67628-FDEB-615B-0B00-00000000FC01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00422440) 13241300x800000000000000017166Microsoft-Windows-Sysmon/Operationalwin-host-340-SetValue2021-10-05 08:37:42.877{49C67628-FDEB-615B-0B00-00000000FC01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b9bb-0xe1466784) 13241300x800000000000000017165Microsoft-Windows-Sysmon/Operationalwin-host-340-SetValue2021-10-05 08:37:42.877{49C67628-FDEB-615B-0B00-00000000FC01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b9c4-0x430acf84) 13241300x800000000000000017164Microsoft-Windows-Sysmon/Operationalwin-host-340-SetValue2021-10-05 08:37:42.877{49C67628-FDEB-615B-0B00-00000000FC01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b9cc-0xa4cf3784) 23542300x800000000000000017163Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:42.706{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6B183A5F17E51333FFC87DFEDCF1277,SHA256=D202E892C5BE3DCCB8186F22F8663D82FC6BFDEF81F50CA0B98E2DBD61BF9C6F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033058Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:42.648{6EDEAD03-0ED6-615C-B306-00000000FB01}15201992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033057Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:42.476{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-0ED6-615C-B306-00000000FB01}1520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033056Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:42.476{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033055Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:42.476{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033054Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:42.476{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033053Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:42.476{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033052Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:42.476{6EDEAD03-FC1A-615B-0500-00000000FB01}4122304C:\Windows\system32\csrss.exe{6EDEAD03-0ED6-615C-B306-00000000FB01}1520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033051Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:42.476{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-0ED6-615C-B306-00000000FB01}1520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033050Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:42.477{6EDEAD03-0ED6-615C-B306-00000000FB01}1520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033049Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:42.398{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3367A0604E3B5640A364CD56FDABAF5,SHA256=98A46CBAEF2C3DF7D2BC9A603646CDC69B428344449443AA00574710839B457B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033078Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:43.836{6EDEAD03-0ED7-615C-B506-00000000FB01}69805956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033077Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:43.664{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-0ED7-615C-B506-00000000FB01}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033076Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:43.664{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033075Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:43.664{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033074Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:43.664{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033073Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:43.664{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033072Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:43.664{6EDEAD03-FC1A-615B-0500-00000000FB01}412428C:\Windows\system32\csrss.exe{6EDEAD03-0ED7-615C-B506-00000000FB01}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033071Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:43.664{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-0ED7-615C-B506-00000000FB01}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033070Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:43.666{6EDEAD03-0ED7-615C-B506-00000000FB01}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033069Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:43.492{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B8D8FF520DC52DB5DA7AE1F338917A1,SHA256=0FC5937620130AE72385623580868F8B22E9B709CCE67899CEFB75C4F00CCD26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033068Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:43.414{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59EEA16702F126E5B69458E88C73EDE0,SHA256=7364609B197A9089D35FB558E9E0F338ED1F3F1985178B161D09BD15CC86DE9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017175Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:43.706{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=140E98F265F09AE106ADA143812C5BF6,SHA256=2E581D23C867E2790F7FC3FCB7992EC09E561FCC1C00C7BB166F3D2F6D51AA0E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017174Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:42.095{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50555-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000033067Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:43.305{6EDEAD03-0ED7-615C-B406-00000000FB01}5164344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033066Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:43.148{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-0ED7-615C-B406-00000000FB01}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033065Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:43.148{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033064Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:43.148{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033063Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:43.148{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033062Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:43.148{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033061Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:43.148{6EDEAD03-FC1A-615B-0500-00000000FB01}412528C:\Windows\system32\csrss.exe{6EDEAD03-0ED7-615C-B406-00000000FB01}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033060Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:43.148{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-0ED7-615C-B406-00000000FB01}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033059Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:43.149{6EDEAD03-0ED7-615C-B406-00000000FB01}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017203Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:44.737{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8559A503FBC62291C397A37F3007245,SHA256=0B0D11075DA54A63F0ECE729BA98B01459E701CF98FEDDA5CAAF2A104060D061,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033088Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:44.664{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8372EAFA7CF716CFD4DB13C2AC943EEF,SHA256=28A76042523CDF415D3E576FC1A3F0A12DF8E8A2EE03C810B05085D6E2EB8892,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033087Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:44.430{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6D42685F5F267641C1B1C95D9A075DC,SHA256=E486D11DB2F0AD00CE1C5741832180EE8E9D35AF18F07E688698D105C2922E6B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033086Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:44.336{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-0ED8-615C-B606-00000000FB01}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033085Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:44.336{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033084Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:44.336{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033083Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:44.336{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033082Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:44.336{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033081Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:44.336{6EDEAD03-FC1A-615B-0500-00000000FB01}4122304C:\Windows\system32\csrss.exe{6EDEAD03-0ED8-615C-B606-00000000FB01}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033080Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:44.336{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-0ED8-615C-B606-00000000FB01}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033079Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:44.336{6EDEAD03-0ED8-615C-B606-00000000FB01}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000017202Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:44.565{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-0ED8-615C-D102-00000000FC01}1612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017201Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:44.565{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017200Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:44.565{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017199Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:44.565{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017198Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:44.565{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017197Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:44.565{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017196Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:44.565{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017195Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:44.565{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017194Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:44.565{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017193Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:44.565{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017192Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:44.565{49C67628-FDEB-615B-0500-00000000FC01}416432C:\Windows\system32\csrss.exe{49C67628-0ED8-615C-D102-00000000FC01}1612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000017191Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:44.565{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-0ED8-615C-D102-00000000FC01}1612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000017190Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:44.566{49C67628-0ED8-615C-D102-00000000FC01}1612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000017189Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:44.237{49C67628-0ED8-615C-D002-00000000FC01}27242992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017188Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:44.065{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-0ED8-615C-D002-00000000FC01}2724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017187Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:44.065{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017186Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:44.065{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017185Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:44.065{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017184Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:44.065{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017183Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:44.065{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017182Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:44.065{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017181Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:44.065{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017180Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:44.065{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017179Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:44.065{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017178Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:44.065{49C67628-FDEB-615B-0500-00000000FC01}4161032C:\Windows\system32\csrss.exe{49C67628-0ED8-615C-D002-00000000FC01}2724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000017177Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:44.065{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-0ED8-615C-D002-00000000FC01}2724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000017176Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:44.066{49C67628-0ED8-615C-D002-00000000FC01}2724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017219Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:45.768{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=774CFD2026C566209CDA233248767351,SHA256=24F34B2FF37B49A29DF49626835A16621F75325634E14AE31201F0F80E744CDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033089Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:45.445{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BDC719E900B8A2CD48603E3E24CF3DB,SHA256=3202EF2EF1D063E9889000035436EC24F54536ACE04D364E38A934FE82B2C06C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017218Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:45.237{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-0ED9-615C-D202-00000000FC01}3176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017217Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:45.237{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017216Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:45.237{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017215Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:45.237{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017214Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:45.237{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017213Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:45.237{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017212Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:45.237{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017211Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:45.237{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017210Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:45.237{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017209Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:45.237{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017208Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:45.237{49C67628-FDEB-615B-0500-00000000FC01}416432C:\Windows\system32\csrss.exe{49C67628-0ED9-615C-D202-00000000FC01}3176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000017207Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:45.237{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-0ED9-615C-D202-00000000FC01}3176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000017206Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:45.238{49C67628-0ED9-615C-D202-00000000FC01}3176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017205Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:45.096{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7EC0C7018A228F91BD0409BE3F9F811A,SHA256=D3B7BF190D94E6978A69943ACED112A49CDAEDA332FFABFB4E41F4A4F9DE65CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017204Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:45.096{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE8EA60376D95D839B206BB10B8EC21A,SHA256=70BAB3E9B19758FB371C9529C570AD8BAC47073AF556B592AF9305B7E23E9B7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017235Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:46.784{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23354344BE157B3F9DA5A6EA2A8298EE,SHA256=33E8A72E224F6CBBF4B671EA6AC9B03D376FDA34EAF1ED0D2A0200F1C054CABE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033091Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:46.461{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1125258069DEE834AF98F2AEFAF89727,SHA256=46CB789739C6FC417943AD020965E1BE4BD95B7739BBA1F10CD16C60F2794648,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017234Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:46.518{49C67628-0EDA-615C-D302-00000000FC01}28923524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017233Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:46.315{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-0EDA-615C-D302-00000000FC01}2892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017232Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:46.315{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017231Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:46.315{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017230Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:46.315{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017229Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:46.315{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017228Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:46.315{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017227Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:46.315{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017226Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:46.315{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017225Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:46.315{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017224Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:46.315{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017223Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:46.315{49C67628-FDEB-615B-0500-00000000FC01}4161032C:\Windows\system32\csrss.exe{49C67628-0EDA-615C-D302-00000000FC01}2892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000017222Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:46.315{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-0EDA-615C-D302-00000000FC01}2892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000017221Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:46.316{49C67628-0EDA-615C-D302-00000000FC01}2892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017220Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:46.284{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7EC0C7018A228F91BD0409BE3F9F811A,SHA256=D3B7BF190D94E6978A69943ACED112A49CDAEDA332FFABFB4E41F4A4F9DE65CD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033090Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:43.839{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52312-false10.0.1.12-8000- 23542300x800000000000000033092Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:47.461{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE6DD7E932141865B0B13E579D22D5A9,SHA256=A812A9DA7DEEC2B790DC4A05A5C32B72A91D0730EC43D823EDE134CADEF3076E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017249Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:47.956{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-0EDB-615C-D402-00000000FC01}2864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017248Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:47.956{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017247Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:47.956{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017246Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:47.956{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017245Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:47.956{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017244Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:47.956{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017243Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:47.956{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017242Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:47.956{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017241Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:47.956{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017240Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:47.956{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017239Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:47.956{49C67628-FDEB-615B-0500-00000000FC01}4161032C:\Windows\system32\csrss.exe{49C67628-0EDB-615C-D402-00000000FC01}2864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000017238Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:47.956{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-0EDB-615C-D402-00000000FC01}2864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000017237Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:47.957{49C67628-0EDB-615C-D402-00000000FC01}2864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017236Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:47.331{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5484BB9459EF614025F34723FE523B05,SHA256=50F849D57E0F70267CEE90EBC58FCD24DF86B313F315A3401DEB4DCB9F062B20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033094Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:48.476{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0876A27AD6E546A7C0962127BCEABB43,SHA256=4E20CDA288072E792FE216E74E19FAE08FDA7DDCE119C8C214B39B0910ADAB55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017268Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:48.971{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9688A21F570F6A52E0B2212BB6E434F5,SHA256=21FBF0F36BB80F2AF22DE076DFF4A70237084945ED05C6F262D826C2C884C654,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017267Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:48.768{49C67628-0EDC-615C-D502-00000000FC01}27842468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017266Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:48.627{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-0EDC-615C-D502-00000000FC01}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017265Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:48.627{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017264Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:48.627{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017263Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:48.627{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017262Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:48.627{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017261Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:48.627{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017260Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:48.627{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017259Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:48.627{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017258Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:48.627{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017257Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:48.627{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017256Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:48.627{49C67628-FDEB-615B-0500-00000000FC01}416532C:\Windows\system32\csrss.exe{49C67628-0EDC-615C-D502-00000000FC01}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000017255Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:48.627{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-0EDC-615C-D502-00000000FC01}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000017254Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:48.628{49C67628-0EDC-615C-D502-00000000FC01}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000017253Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:47.157{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50556-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017252Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:48.190{49C67628-FE68-615B-9F00-00000000FC01}1772NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=77A3FAE6E3D081057742F67BE17D48F0,SHA256=B45196262D41012541FDA928C2D6D89C531ACA10A8054FE8E2047913CDE27561,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017251Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:48.127{49C67628-0EDB-615C-D402-00000000FC01}2864108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000017250Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:48.019{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33E779AF16DBB09FC3448B4B386CEB3A,SHA256=63675053664E84CB030BC2DF1228560153CDD91BCC99E225587A9FA9466F124A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033093Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:48.211{6EDEAD03-FC1B-615B-0B00-00000000FB01}6365952C:\Windows\system32\lsass.exe{6EDEAD03-FC18-615B-0100-00000000FB01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x800000000000000033096Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:49.476{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DFE360DBCAC3BABBE038EE38897B8B7,SHA256=DA0CB7AE9D514B00EBBE7A43CE6191F0C7FF9884549947B1630B0C4FB2749658,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017283Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:48.235{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50557-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 10341000x800000000000000017282Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:49.299{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-0EDD-615C-D602-00000000FC01}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017281Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:49.299{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017280Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:49.299{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017279Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:49.299{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017278Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:49.299{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017277Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:49.299{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017276Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:49.299{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017275Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:49.299{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017274Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:49.299{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017273Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:49.299{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017272Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:49.299{49C67628-FDEB-615B-0500-00000000FC01}4161032C:\Windows\system32\csrss.exe{49C67628-0EDD-615C-D602-00000000FC01}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000017271Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:49.299{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-0EDD-615C-D602-00000000FC01}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000017270Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:49.300{49C67628-0EDD-615C-D602-00000000FC01}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017269Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:49.049{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66AECF15BD5034658B9B28230A984D82,SHA256=ED12CB39BF8C2D14EFA6CBB12685325A9D65B813CB9E06B2A540D3508184420D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033095Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:49.226{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F9CC42B9C677F91268E07DD4047C9FDD,SHA256=F200D64F2B53787D2BE12B38F84E2094365597D963803145EB781127B085A580,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033102Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:50.789{6EDEAD03-FC1D-615B-1200-00000000FB01}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=A29312B8AA030982167660A0D6A70C4B,SHA256=A7D8E8A2DEADBF975ECD619A18E5638FC9A6396DDBD1D2B0F71C267A53F89DCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033101Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:50.570{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5846F24093B6DF10E07D75057BED8BBE,SHA256=7F9A4E3224C03AAAA1B3C033FCBABF5660E459D6BE4C8C83A207C6E898811C33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017285Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:50.346{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5EBDBBD98CC4FA620E1E510C88B3B053,SHA256=D65BCDC31B6098D18682B42D62123087B11A350E70D3076B64B04B25CB4A5E6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017284Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:50.112{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D773E91D5066251FAFE1A8EFED82146,SHA256=E9BF8BFE1371794F3AD2EB73795F4CDF60948E30E0B9B73A2D5262C826654D50,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033100Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:47.809{6EDEAD03-FC18-615B-0100-00000000FB01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local52313-truefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local445microsoft-ds 354300x800000000000000033099Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:47.809{6EDEAD03-FC18-615B-0100-00000000FB01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local52313-truefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local445microsoft-ds 10341000x800000000000000033098Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:50.226{6EDEAD03-FC1D-615B-1600-00000000FB01}12886936C:\Windows\System32\svchost.exe{6EDEAD03-FC2A-615B-2D00-00000000FB01}1000C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033097Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:50.226{6EDEAD03-FC1D-615B-1600-00000000FB01}12886936C:\Windows\System32\svchost.exe{6EDEAD03-FC2A-615B-2D00-00000000FB01}1000C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000033103Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:51.586{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F8E2941AFA28B6097DFEF9FF7713170,SHA256=AB5662983BAB6F593ABEA4D85D8FE4FE9D68082E8F0E49F83B87BC128B9627FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017286Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:51.159{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA55420C56988ED2EDEEE7005D6CF6BD,SHA256=F5744BF2224BEDA827C96FA7ED65913DCF9625EDAE656AC34A8B50505B9201EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033105Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:52.773{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=790303BEB7599F135E127E430E842627,SHA256=A743261FCBD313A4B92A07E34158F40F19EEBCC9FAA7ECD8B5FF7F06C3E17EA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017287Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:52.190{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64AEA2F92154FE8977B94029A8C8A284,SHA256=AFFEC9AD45B8B9F8955E29FF58F96A97A7062E1160606500884B7F2D0D03799A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033104Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:49.776{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52314-false10.0.1.12-8000- 23542300x800000000000000033106Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:53.773{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BC458769349D26C4A4325237217EA4E,SHA256=0285B01EA92E6D768217AA99D040ECE4A3FB7D11B4B911EA78DE98469AA143FE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017289Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:52.298{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50558-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017288Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:53.315{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5929D295199537C95497190EB3F79813,SHA256=CDDC6C1D69E518E371977D879237520C9547CCF00A61E478CACF5CE5BB0E00B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033107Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:54.789{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=882B758FDA82806C55810E7D346A0F77,SHA256=8FD7A5564C7E4B958FBB8B22B5ED4E71E182CB8CB527326FB92D1EE6424128E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017290Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:54.440{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9D9F19CD8C3FEDE965E32FCF8CC92B1,SHA256=D2A1ED5AFA7730E91A1460E6319E2803B406B707DEBF807234EEE9BD676E5B01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033108Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:55.851{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72B897685291AF121AF37D8B6AC9B510,SHA256=534EF1CF095C4813718935362D78CA64057C50DFB9C38EDF248AAE9C2A24AF93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017291Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:55.440{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0796145148256D97B6B662037521515,SHA256=0756E99B2ADD18081D12C839BDE132BB51B03CDC873B54BC6DFA41E770C221FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033109Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:56.867{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EA41B80B0D1FA8626E31617CB5810B3,SHA256=6434F09271EFE014BD524E2902FD590FBF1C50EE5D1A40A3824759FFE22A0A8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017292Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:56.674{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F372B017F9E87300F2029DC683CDF5C8,SHA256=0B1CAD1DADD5DA164E4EB2626BCC9D6369E37CA50A83DE9FB8DA9364630AE97B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017293Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:57.815{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82BE934A026B25891A582DEF08CA68FC,SHA256=36F01F273A02A4F8681077B3062520F5A9A0E5723AFF918E5AD646E8FA2BA33A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033110Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:55.823{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52315-false10.0.1.12-8000- 23542300x800000000000000017294Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:58.815{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E5AC71B8EDBA6A3C375A02F52701C6C,SHA256=332CE10AE99E49435474CF548522CBCE86F9085019625E55923F0970D38B4A1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033111Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:58.008{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2000FC2E38CE08FCB43E5C71B718496F,SHA256=B7DA918D6C85179169D7B446117DE1E2259196104EA30BB6D1E696429D1A235F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017295Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:59.823{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A10695BD4E88749560EA370ECB2EA4C,SHA256=D1FAF3C427E4C20F759ADB81B78B0BE353336DB09A5512198DF33B0CAF1B83D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033112Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:37:59.226{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=535F8F46CAC27E5149DE9AC711F61C55,SHA256=D80D36E4A1D27E805A519229D07FCC67BEE4EDCCF83C1DF8C13C7D737E603B3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017296Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:00.823{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61433630C22A0ABB4AA7A996FA3A08DC,SHA256=394077E0FA422635A697A7C114DA122263982A884461556A46FFC11B7E1EB894,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033115Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:00.406{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66F59F739CEB5B26E9489AC06E13705D,SHA256=DF89987B478BC18396353FE0DC71D6977086BF22930B2A8E2DCB8CC23EFE52C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033114Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:00.250{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=618C9D97F732A23A2C2972676634B3A0,SHA256=40D039E7CA0D5D6B87D84C24885CA192FCFAD7414C7F40707A729D3CD107E3D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033113Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:00.250{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=08984E88810430D99FFFD4962FE779FB,SHA256=740475F61F8CAAFE56D54F72020CB53F2229EFD1A6A36FF27A679B9A50235F1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017298Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:01.901{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E8C8F010C77A37151296627B2D46526,SHA256=F4310B6637E240DCA0A391EC09C536A49AEB964DE5A0B8B197EEE6DBDD027C94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033116Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:01.422{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5C40FD23D651A418D8058B20CD58342,SHA256=CD862D0477E8189E7A59BDA415D1FAFADF2CE98370C1B559D80552F0C8652273,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017297Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:37:58.173{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50559-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017299Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:02.963{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A21D8664D2F021B0CD69C3AF17977A2,SHA256=A0529A4FA874E7DA478C06C6E338153D1CCFDA472EA807A325A4B8083D685435,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033117Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:02.437{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=749C888BBD1F875FEDBB8769973DBE74,SHA256=F41E89299841B75005AF9347D5003C5BD1C968BBDCB17FCDFDAB7A9F1197728F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033120Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:01.643{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52316-false10.0.1.12-8000- 23542300x800000000000000033119Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:03.464{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2573810FAE2E3C1A2D11EDF58D46581B,SHA256=A6C1170B1500AF2920E065BCB0130BECAAA446F59EDE66FC8EC2ECFFF847E081,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033118Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:03.160{6EDEAD03-FC2A-615B-3000-00000000FB01}2280NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00ade5b11017bd16f\channels\health\respondent-20211005071805-077MD5=AA6F78CCC35FD74424B933C975A9F779,SHA256=482DFC86E7C4A11E76E3E352EB64B396C84C083D9F57F37823883232EC55A225,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033122Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:04.479{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AD8B1CDF76133742427F63E1FE24448,SHA256=F4294B25EDB2DCA90E5FBD4A8A6654FA4C5A77FDD4AB4EF28271B738AE2226E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017300Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:04.041{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F246337D4B541742871971C93B63E37A,SHA256=0A00EA18BB17AADA5E272744DF3674AB9D86F0B5AE040BC70F7F04EFCE430D8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033121Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:04.169{6EDEAD03-FC2A-615B-3000-00000000FB01}2280NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00ade5b11017bd16f\channels\health\surveyor-20211005071802-078MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033123Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:05.483{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C319A5B248E031D72A284767DC129737,SHA256=DD2E6961D3B59494F1EAFB1FFA40C67999B3328ABE9BCC15A9A217036E7229D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017301Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:05.260{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=952161D7161B3C0459BCE487E7877ED0,SHA256=6611B7B31B4EC9276681E914EE4AB12C8DA4654E52EDB4679F177C9503E6224D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033124Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:06.498{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2F69CECF0BE5A03B890DF066DA7BDCB,SHA256=AC8301A360E3C2627A748B70FD5493E874FCE8D96AAA6EA018E3B3C178C6047E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017303Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:06.448{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3FAE677A822C27A17186BD67E956FB6,SHA256=BB94CB89D8B73A7E36C497E8618303D066716E56AD4065EBBDD333D5A5BF96A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017302Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:04.228{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50560-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033125Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:07.530{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEEB6C4EEF0AD69E2FB256BBD936A687,SHA256=3D320BC1BDD18D4E15338AF80034B0E0B2784B0DDB75FF1F8D223D25C8A61483,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017304Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:07.463{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A36ECB73525AE42AABE8F7D1A205790A,SHA256=D740944FCE9C93339A54BF89BD73AD249649A3065CF6ED138B34B7D7066AF518,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017305Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:08.698{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EDA6367249C58F445554D4E9C5D9146,SHA256=7CEA17E30A0EAA99D32051B9CAB96D88FB79C316C4CE445D0C31E52EF74884D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033126Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:08.545{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C5921D2C0D2644417FABAE001F7ADF8,SHA256=F54F059B5A76D37992FBA5F6582436D1AACC2C52215407D33F8759D44DBC5439,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017306Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:09.885{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=279CCBDBB92307BFA73D88A30E716BEA,SHA256=EA72379DE4F0F08EA103108B4E96EF338400DDE38142AEB8230B2DD9F63A81E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033127Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:09.576{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7402C9F847CFA877459DC975D6EF989,SHA256=65E403E45064311669A0D0D98DF5FFFE45E160C2C89CA1F274730CA59C6DA6B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017307Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:10.963{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79B045595D41A57B6DA26631A087C93F,SHA256=1FC920795120B91C51276267F645D06702023850FD22BEB6E2BAF92F851CA8B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033129Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:10.577{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40DD4E137DFAFA7C71581411F5BBDAF0,SHA256=BCAA598FCEB8B84976893326282329EFE2EA8DD5691D6BFAB144DB2A00651CF7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033128Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:06.767{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52317-false10.0.1.12-8000- 23542300x800000000000000017308Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:11.979{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56DE8180BFEB6A123787D4948D386600,SHA256=927B0DB959B14CF9837B1E743FD215B84344FFE6CB8DEEB29F5DFC42EBAC5F0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033130Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:11.592{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F6AEEB8E27DCFF773D37113EBF2FF39,SHA256=A1A220CC185A4354F37E4EE52F4E52F162637F452C0DFD7847AEEF6C42A4D963,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033131Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:12.592{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B69FF69A32438E3DD4AA1267053F0A07,SHA256=B84C99FB9597E45762C32D7334E8F7C63F785CC7CDF2740915A5117BE421EEC3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017309Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:10.259{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50561-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033132Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:13.608{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AE72CB9B5E8A301B9FCA5CF857118C1,SHA256=F6F419372952C4D55439254AC7B3ADB414AC9FA48E56BDFCC2C288C1DE840DC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:13.213{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29B2BFD038BC3A61EBC71E0F165659A9,SHA256=6E2782E5425C9727D927915EB473AC7B2199979B5B4CD4B6FCF1E49932C5D13F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033133Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:14.639{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECFE5C3E56B0C1805C7E82020C43DC2A,SHA256=C68E0730C8B76E898F02D89B685EF66A5F075CBA413EC39201742AA5B4823768,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017311Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:14.448{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A33F3FE53F300FA80B6BD952EFC289C1,SHA256=99D60D855EF8A41BC1F687D4C6B6F464C3B15E41DCD89D32B217F94671E2718D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033135Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:15.733{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20B5D7181AC22A209A8432D3CCA5434D,SHA256=0DFED100940C5F1CADEF75ACD67B5DB89D251B3E3E7736C49B512F57560E4838,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017312Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:15.588{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4512589CC325F8CFC92D6D593C661DD1,SHA256=AAA77411BDF71E5461FAA74ED614E0204658888B8B73D67FAC1971E789D6CDAA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033134Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:11.767{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52318-false10.0.1.12-8000- 23542300x800000000000000033136Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:16.733{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3847DB5625483A6F1B9C5E5A2C432F0,SHA256=E468F70DA724BBEAB939A6E071509CF867117A8B874057E47753775CD70CB7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017313Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:16.729{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=993857E93854B538A05E317A105D137C,SHA256=060AC0B8A754FA03836DAFDC53E91ED35EB9FB62E1387FB72371995095DC4AAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017315Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:17.948{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B6125C2698F928889F4F04ADA24FA0A,SHA256=C7B0A5CAB840763A2C75E6AF40601C65914C9FA18F17DC7DD5A74424874B5E65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033139Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:17.811{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=74FA3B6D0DF647EF025173647E159896,SHA256=04409768D99A10E5414783D2CC667AECE81C39CA5683677D328E5138CDC9B622,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033138Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:17.811{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=618C9D97F732A23A2C2972676634B3A0,SHA256=40D039E7CA0D5D6B87D84C24885CA192FCFAD7414C7F40707A729D3CD107E3D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033137Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:17.748{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC8A85A8D002FF11E2F714CB84FCC22F,SHA256=970352B9FCBABF9E4F1F9C76F1CA22F585EE8C6A29F5DC97A6DE6F0506B221BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017314Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:15.321{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50562-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017316Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:18.963{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6B6C47209410CA2E2FB3A4E0733F202,SHA256=C61F73C717F5C687A4F78D503BF475F3A933D4F24207C0C36A0C9ADF9BF77BC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033142Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:18.748{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5AD51C2BEE3F78978EAB714D7324B48,SHA256=FD4CE1EFB90596870A087E8CB25956FCD6C1875B363A1FB3510BD8623E296401,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033141Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:16.392{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local52319-true0:0:0:0:0:0:0:1win-dc-676.attackrange.local389ldap 354300x800000000000000033140Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:16.392{6EDEAD03-FC2A-615B-2900-00000000FB01}2912C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local52319-true0:0:0:0:0:0:0:1win-dc-676.attackrange.local389ldap 23542300x800000000000000017317Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:19.995{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C5924704BCA9CC2BC8989BCFA5F9DE9,SHA256=25835C1FDD6509F014527CE6495927D843E0AA289A23F93D87FF4E9917164CA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033144Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:19.750{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=099F801A6B0F88AE0BE0E190708125CF,SHA256=3C224CEA20FF5E0A390F1353D7C1B0F315A5714BF7600F360A155F8FEE7A320A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033143Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:17.720{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52320-false10.0.1.12-8000- 23542300x800000000000000033145Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:20.766{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22BBE557F0BDC3571D0D727148B2C6FD,SHA256=42799385D94BBAC3BDD986D22EBCCADF1B4BA2D6E5C829BE3341FEB22F3FD195,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033149Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:21.766{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65FA81624371C8D698E44EA1C7F39C7E,SHA256=F77515498D82005973BE7E6FDD624BC5E7FE6B0F9CD089BE9BECB5F1A9E5B1BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017319Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:21.811{49C67628-FDEC-615B-1F00-00000000FC01}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04b3958ebc31dc11b\channels\health\respondent-20211005072534-070MD5=9DBD3CF651CAD1963D7DD9E70795396E,SHA256=D00FE5240C0E39CC33FD8ADFFDA13197E8833401D0A3D05F731F6A79B8E00229,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017318Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:21.011{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53118D3E8533E02C37E8DA81968456D4,SHA256=48A26553DDEA245A32DECE9092336AB2926EE98DA5D86FF688CA80CB58508186,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033148Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:21.453{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC1D-615B-1500-00000000FB01}1240C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033147Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:21.453{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC1D-615B-1500-00000000FB01}1240C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033146Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:21.453{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC1D-615B-1500-00000000FB01}1240C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000033150Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:22.766{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=249A8EF3FE3A8CC2E84E500B3B13889A,SHA256=DF280EB873F10FEE5556A6FC0DEEAB650154061A9C743CB5F42C5C1C54397CBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017322Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:22.820{49C67628-FDEC-615B-1F00-00000000FC01}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04b3958ebc31dc11b\channels\health\surveyor-20211005072532-071MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017321Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:21.228{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50563-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017320Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:22.022{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E2E359042AFF18A7AB2C8DB66B29019,SHA256=F2D0CCCF60E3052482D7A30492793FD9A767345F87628C3C46DDA7E009C3D014,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033151Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:23.781{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47DFF6D46E85919F37A5E33E436AB875,SHA256=7F96D35EE2855B3BEE12C6EF12E90549534B7068242BAD1EC0CF59B4BF93B815,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017323Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:23.025{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A8DBBB98D90D4DBCEB6A10DC9500FA6,SHA256=1F60F5D4A05CF2FD81A1AB9BB604A1311E52AB5FCC01C9302A2A8A3DD2A9506F,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000033155Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 08:38:24.797{6EDEAD03-FC2A-615B-2D00-00000000FB01}1000C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\8EFF07E0-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_8EFF07E0-0000-0000-0000-100000000000.XML 13241300x800000000000000033154Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 08:38:24.781{6EDEAD03-FC2A-615B-2D00-00000000FB01}1000C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\3921F692-FD43-40E6-838A-1597F7469C61\Config SourceDWORD (0x00000001) 13241300x800000000000000033153Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 08:38:24.781{6EDEAD03-FC2A-615B-2D00-00000000FB01}1000C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\3921F692-FD43-40E6-838A-1597F7469C61\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_3921F692-FD43-40E6-838A-1597F7469C61.XML 23542300x800000000000000033152Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:24.781{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8651039BD4C11EA71AF5DAFD368A2E90,SHA256=8F742074C32D6C0D82EE2673DBF1A1B88D216E2617BC9BBB37AC0CA72DF455F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017324Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:24.027{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=806DF8951B4F4A053463846A9AA77DE7,SHA256=2C4D3ED447D072A3CD829F0CEB7253E02AC5AC0D5FABD22102F3A79EA507AEB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033161Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:25.797{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=73CBF75C14146BCB18144DACA4CCCF73,SHA256=09474E63254FB3C56E7043F4F450BBEDFD21F01A7887BCFEEFAFA2596D3F128A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033160Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:25.797{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=74FA3B6D0DF647EF025173647E159896,SHA256=04409768D99A10E5414783D2CC667AECE81C39CA5683677D328E5138CDC9B622,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033159Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:25.797{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C1C17B6B966ECA10FFD567CC9760245,SHA256=C2F6DA34FA0661A61828F147498D288DCECBFA0D614F96CE720E2119FF48BB43,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033158Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:24.380{6EDEAD03-FC1D-615B-0D00-00000000FB01}908C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local52322-truefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local135epmap 354300x800000000000000033157Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:24.380{6EDEAD03-FC2A-615B-2D00-00000000FB01}1000C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local52322-truefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local135epmap 354300x800000000000000033156Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:22.737{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52321-false10.0.1.12-8000- 23542300x800000000000000017325Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:25.027{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85FB108525ECAC1B6781B84E48A2BB93,SHA256=4FE26A1C5E9BA53E009EEA0A3F5373FDCF0870A8BE9126CA1043AF4B8832E574,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033166Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:24.410{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local52324-truefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local389ldap 354300x800000000000000033165Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:24.410{6EDEAD03-FC2A-615B-2D00-00000000FB01}1000C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local52324-truefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local389ldap 23542300x800000000000000033164Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:26.813{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53E92FB5273C016B3813172FC36DE4FA,SHA256=B8B369DEF6EB9A9CA5DE09F6B9F9B42D2A0562771FC8ABC6CB6F3A9B4E84B1B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017326Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:26.262{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=463F1D4B23468D55FF91F64F9DDC7672,SHA256=7F0F0939A614561684ECE742B2118E433CF02680D2636AF470C3F3903122780D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033163Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:24.402{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local52323-truefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local389ldap 354300x800000000000000033162Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:24.402{6EDEAD03-FC2A-615B-2D00-00000000FB01}1000C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local52323-truefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local389ldap 23542300x800000000000000033167Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:27.813{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=551C0864D2F3275218E9C499B47ECFAF,SHA256=050DD2650C897EC8C6640B930AFE8E3E56A619F2B11A4CDA2614E7813E01E841,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017327Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:27.496{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=338D5256AAD0F087E09EA5CA5650AFF2,SHA256=3F96F4AFBE25E2952EF3E90C51E829C4B741F851E3C0024D5DD872914052DC79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033168Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:28.875{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D1B04F76101E7B17B0D85AD46156147,SHA256=7546B0DEAAAC9D4274E7637B38183FDB23A191D9C28657762EBCE4237B18C1BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017329Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:28.730{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D59C2D158696DCFDF0C72A7F8BF9A68,SHA256=84D75AAAC148D7B2CE582B69C1FE72F3CABFADD7B63082B70AABC2F8F29D2A90,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017328Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:27.198{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50564-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017330Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:29.746{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01291D651526A916577BECBC8AAD91E5,SHA256=BC9468EB515A76ABDA290656D8B58127517E4D7128D8611ECB836EAD80D10414,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033169Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:29.875{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6C845D68920DADB8BF6E847048FEB5D,SHA256=5FFE4A2E5B64C5CC3CA8B2E17431F4F2A0EFBDF3E5EF16D61E619238F1A6DE84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017331Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:30.886{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08BEBD42610EB5A8F668467C74B5E412,SHA256=45CEBB502EBC6743713A374700AFFB2A1A6FD03723E195D9EA83060C9B403E53,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033171Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:28.628{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52325-false10.0.1.12-8000- 23542300x800000000000000033170Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:30.891{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75BDCF3079F3192981B0B7EC3CCAE7A6,SHA256=D0A24BAE8B64A6D715F39EF00A6B54E27A2D8B6E3934911D42BB509C07516956,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033172Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:32.031{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=433D04F90F18B4BBB0EA802630B3B2A5,SHA256=433ADEBA54EC388C92AFE9DE540C97C43E69C1DBA0FFB852B38A2FE92ACF258E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017333Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:32.558{49C67628-FDEB-615B-1100-00000000FC01}964NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=E1B2F3C09A55AAD7D4FF6F749F56C5E8,SHA256=9C536E405B2708A831ABB66644AD82397C0D3F54BBB595E6D6FBAEA9017C2467,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017332Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:32.012{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05825AAC8A696EA30EAA2FCF4A7DBA0D,SHA256=8632B3A318D3DC5FC2A983B3158AF2E1D53FDCBBA2989057C05158A96B960224,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017335Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:32.261{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50565-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017334Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:33.090{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DA7FC43B23B3516D3CBF23A92E71C17,SHA256=BC7CB02EF239E6A32022980FFEC0A1F57C5E2C46B9FBA13BBD6512CA39A91021,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033173Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:33.266{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE302844C1C2E6C1E08A5665EDD60C8B,SHA256=07FE5D1BCDA565E2C7B10FA93A057D0FBDD1CB8D7DB0EFFA6995485EE2586016,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033174Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:34.376{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5351E7C02AD715C0D1AA3129720B4D1,SHA256=C0664928994C37CECE4AC7D7D6BED2F232DC8B85B9C7261489896D1604A99D1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017336Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:34.090{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C31E59C2C291B9121DB6DC7E42A97A0A,SHA256=EA2F50F115B8ABAAC46D4A0DDE478BDB454C432A784A964850A8220797C42F9C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033176Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:33.659{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52326-false10.0.1.12-8000- 23542300x800000000000000033175Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:35.469{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC35812EB7BC669BB0D15D2B2C228198,SHA256=036B87A8462B635AE826F143EED94A8E147723BC613D3D2BDC00BFBFC6A3427F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017337Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:35.090{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A42A459EDE4C14647C454797E51C8711,SHA256=4AFB0FF9C129477120A22DE88ED21D3058667EE7ACFC51F71E83315E63D0EDCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033177Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:36.485{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=330C93CB948C0BDA21535E7CB8032AA9,SHA256=8DF562CA7290FB842D5AC5DF20E9902670A36E87FB2AFFDD9A4C8918CDC84914,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017338Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:36.105{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A3C04B2A528D19F41441588752742A1,SHA256=E9EA98DCE2F3A48291F853F43EC6B8019D3C1207FE80A0531712CE5CAA616E61,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000033179Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 08:38:37.781{6EDEAD03-FC1D-615B-1100-00000000FB01}480C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b9c4-0x6446f642) 23542300x800000000000000033178Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:37.500{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D493A7E2D4A169A648F696D09B26EA58,SHA256=E8595607F4F14BFD00BBCF64B29FB8BAD8EE5986746A1AB542F03C07B7DF6B43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017339Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:37.121{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABAE240DD57BD28B9D1CA09B5A227C1C,SHA256=50F80E6EF61D0C0C4DB476A5E2D777AFFDCEB93289C799F4BF3F1FECC6DFB1E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033180Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:38.500{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91E99401FE9F013BE3A8EE8723AAA143,SHA256=8BA7B552A183A0C6726BCE384B55388F0EEBD417BE4772514E059A41C3AEF096,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017340Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:38.136{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01DE76C1C96FC2509F6387D5370F8662,SHA256=9033552AD367ABEDBD07CAD0BDF7898FEF8E534E1317B1E81511F219E0ACF720,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033198Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:39.942{6EDEAD03-FCBF-615B-AF00-00000000FB01}416NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=77A3FAE6E3D081057742F67BE17D48F0,SHA256=B45196262D41012541FDA928C2D6D89C531ACA10A8054FE8E2047913CDE27561,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033197Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:39.942{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-0F0F-615C-B806-00000000FB01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033196Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:39.942{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033195Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:39.942{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033194Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:39.942{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033193Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:39.942{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033192Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:39.942{6EDEAD03-FC1A-615B-0500-00000000FB01}412428C:\Windows\system32\csrss.exe{6EDEAD03-0F0F-615C-B806-00000000FB01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033191Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:39.942{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-0F0F-615C-B806-00000000FB01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033190Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:39.944{6EDEAD03-0F0F-615C-B806-00000000FB01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033189Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:39.531{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C506859324B94CA3726373F97267576,SHA256=BAA75BC927FF4DFE7BBB468B0EC79F17360674E8A8E4B2CF9A6932E5FB102846,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017342Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:38.276{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50566-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017341Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:39.152{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06B3E48BA76B9E069A8686B4C9BCCB56,SHA256=8D38ABB981F154BC5C2C5BE0B17E4E5A944B099D761EBA26039358563CC31256,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033188Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:39.453{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-0F0F-615C-B706-00000000FB01}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033187Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:39.453{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033186Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:39.453{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033185Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:39.453{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033184Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:39.453{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033183Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:39.453{6EDEAD03-FC1A-615B-0500-00000000FB01}412528C:\Windows\system32\csrss.exe{6EDEAD03-0F0F-615C-B706-00000000FB01}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033182Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:39.453{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-0F0F-615C-B706-00000000FB01}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033181Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:39.454{6EDEAD03-0F0F-615C-B706-00000000FB01}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000033210Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:40.614{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-0F10-615C-B906-00000000FB01}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033209Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:40.614{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033208Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:40.614{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033207Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:40.614{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033206Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:40.614{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033205Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:40.614{6EDEAD03-FC1A-615B-0500-00000000FB01}412428C:\Windows\system32\csrss.exe{6EDEAD03-0F10-615C-B906-00000000FB01}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033204Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:40.614{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-0F10-615C-B906-00000000FB01}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033203Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:40.615{6EDEAD03-0F10-615C-B906-00000000FB01}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033202Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:40.552{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93D1A65CD7023A2869B53E764344291D,SHA256=3BD3D7DBC1BE761781E6017B5B300480AB2B77A8A1F6EB1E42030D28FE2B1018,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017343Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:40.218{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8C04A322D3AE360CD6110850F8BF156,SHA256=4B7C6EFA93CB3D2D7599A5A221147FF5FD81ABBC229FA13AD574959D9C79D2F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033201Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:40.458{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B85B879052EE4F380A44002D9844AD36,SHA256=8BA6AD242968529E5FA56733CF39B7270D9F0DCF94F7741DE912F9A76DB4486A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033200Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:40.458{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=73CBF75C14146BCB18144DACA4CCCF73,SHA256=09474E63254FB3C56E7043F4F450BBEDFD21F01A7887BCFEEFAFA2596D3F128A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033199Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:40.114{6EDEAD03-0F0F-615C-B806-00000000FB01}3492216C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000033212Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:41.786{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7B0576317B9B1E983A7DA1FD51827CE,SHA256=6FBF7CEA3AC89214550C7ED777DFDD423FAE7748B6EE045DE83B73FE9B5661AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017344Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:41.437{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62E478A2877AD9DA03852E74CC37C0C7,SHA256=EDB4BE669FE514B0AA259B952F379A0D070C7E4B7811117B57560C0E054B5770,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033211Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:41.646{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B85B879052EE4F380A44002D9844AD36,SHA256=8BA6AD242968529E5FA56733CF39B7270D9F0DCF94F7741DE912F9A76DB4486A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033224Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:42.849{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8517E88A5C764EBC0A558F3357603582,SHA256=E3629B09F9D57859EBB671052759DAD7F73B8903881BE8021D66007BDEBDADE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017345Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:42.499{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=344CF0B93C7F9554CC3BD94E7DFCCAA6,SHA256=1B0320C814AFE76DE76F2ADCDADA5704264A7F56EA3137B933261A33AA83DC6C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033223Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:42.614{6EDEAD03-0F12-615C-BA06-00000000FB01}56085224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033222Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:42.474{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-0F12-615C-BA06-00000000FB01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033221Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:42.474{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033220Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:42.474{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033219Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:42.474{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033218Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:42.474{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033217Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:42.474{6EDEAD03-FC1A-615B-0500-00000000FB01}4122304C:\Windows\system32\csrss.exe{6EDEAD03-0F12-615C-BA06-00000000FB01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033216Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:42.474{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-0F12-615C-BA06-00000000FB01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033215Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:42.474{6EDEAD03-0F12-615C-BA06-00000000FB01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000033214Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:39.665{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52328-false10.0.1.12-8000- 354300x800000000000000033213Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:39.540{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52327-false10.0.1.12-8089- 23542300x800000000000000033244Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:43.880{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7B47EECCA9A112508CDCB7F6EEB6C82,SHA256=0A0F39B3E6A3C389241AA83051E18E286783EC2C5580D8349567D769BA24977F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017346Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:43.656{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6EF139C95E95047AB67F9F5345544DB,SHA256=3E13D41C8F2705151D39CCE21DEB20C1CCCC434341FC150BD99B80CC1C6B3908,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033243Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:43.786{6EDEAD03-0F13-615C-BC06-00000000FB01}5806148C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033242Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:43.630{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-0F13-615C-BC06-00000000FB01}580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033241Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:43.630{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033240Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:43.630{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033239Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:43.630{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033238Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:43.630{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033237Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:43.630{6EDEAD03-FC1A-615B-0500-00000000FB01}412528C:\Windows\system32\csrss.exe{6EDEAD03-0F13-615C-BC06-00000000FB01}580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033236Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:43.630{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-0F13-615C-BC06-00000000FB01}580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033235Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:43.631{6EDEAD03-0F13-615C-BC06-00000000FB01}580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033234Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:43.567{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C5F08C6BB077840EB84371F3EA8DBDAE,SHA256=AF3FA41A26F5DE27BC9954D915EE57AB519B17A1DF9FB5ED55CD8CBBCC69AC26,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033233Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:43.161{6EDEAD03-0F13-615C-BB06-00000000FB01}56203216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033232Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:43.005{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-0F13-615C-BB06-00000000FB01}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033231Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:43.005{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033230Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:43.005{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033229Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:43.005{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033228Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:43.005{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033227Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:43.005{6EDEAD03-FC1A-615B-0500-00000000FB01}412528C:\Windows\system32\csrss.exe{6EDEAD03-0F13-615C-BB06-00000000FB01}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033226Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:43.005{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-0F13-615C-BB06-00000000FB01}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033225Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:43.006{6EDEAD03-0F13-615C-BB06-00000000FB01}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017374Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:44.921{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EF878E28617AF90ECEF8634F7E7A92C,SHA256=2E48B6675B5DB4414B94AD0AED5DFCD767963EEAE856923EAEDDB7F728B4D5C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033254Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:44.896{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B9CBAEBC4A1444B3DEA6B22FB0A01DB,SHA256=44491300EB1F55CAB2F36E296F9587887A639FB6878A511563858D4A241FAE06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033253Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:44.739{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=38E75A87CE0350FDD0961D96D0E8F8EB,SHA256=4C88D2E2FE752491B35E85E77A3F01568D6DB5D321F1A4789A58A012431A14E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033252Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:44.302{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-0F14-615C-BD06-00000000FB01}5588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033251Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:44.302{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033250Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:44.302{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033249Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:44.302{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033248Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:44.302{6EDEAD03-FC1A-615B-0500-00000000FB01}4122304C:\Windows\system32\csrss.exe{6EDEAD03-0F14-615C-BD06-00000000FB01}5588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033247Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:44.302{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033246Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:44.302{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-0F14-615C-BD06-00000000FB01}5588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033245Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:44.303{6EDEAD03-0F14-615C-BD06-00000000FB01}5588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000017373Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:44.562{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-0F14-615C-D802-00000000FC01}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017372Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:44.562{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017371Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:44.562{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017370Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:44.562{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017369Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:44.562{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017368Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:44.562{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017367Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:44.562{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017366Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:44.562{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017365Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:44.562{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017364Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:44.562{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017363Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:44.562{49C67628-FDEB-615B-0500-00000000FC01}416532C:\Windows\system32\csrss.exe{49C67628-0F14-615C-D802-00000000FC01}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000017362Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:44.562{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-0F14-615C-D802-00000000FC01}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000017361Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:44.563{49C67628-0F14-615C-D802-00000000FC01}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000017360Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:44.265{49C67628-0F14-615C-D702-00000000FC01}13961344C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017359Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:44.062{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-0F14-615C-D702-00000000FC01}1396C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017358Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:44.062{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017357Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:44.062{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017356Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:44.062{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017355Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:44.062{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017354Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:44.062{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017353Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:44.062{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017352Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:44.062{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017351Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:44.062{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017350Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:44.062{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017349Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:44.062{49C67628-FDEB-615B-0500-00000000FC01}416432C:\Windows\system32\csrss.exe{49C67628-0F14-615C-D702-00000000FC01}1396C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000017348Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:44.062{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-0F14-615C-D702-00000000FC01}1396C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000017347Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:44.063{49C67628-0F14-615C-D702-00000000FC01}1396C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033255Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:45.942{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40C70709E81D002B91DF84415C06DE28,SHA256=8F46679090FE08635C8766EF9D8DADC6B0E3C042BFAA9E0ACD04871940C457FB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017389Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:45.140{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-0F15-615C-D902-00000000FC01}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017388Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:45.140{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017387Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:45.140{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017386Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:45.140{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017385Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:45.140{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017384Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:45.140{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017383Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:45.140{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017382Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:45.140{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017381Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:45.140{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017380Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:45.140{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017379Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:45.140{49C67628-FDEB-615B-0500-00000000FC01}416532C:\Windows\system32\csrss.exe{49C67628-0F15-615C-D902-00000000FC01}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000017378Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:45.140{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-0F15-615C-D902-00000000FC01}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000017377Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:45.141{49C67628-0F15-615C-D902-00000000FC01}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017376Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:45.093{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E24968CC31EF9518C19CC93498AB4A4C,SHA256=007BBBEF698709FA33774396435B57163B99DE643445456ED4E5E8F8E771CB87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017375Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:45.093{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A919E690824E86A3676D9D0CAD2B18AA,SHA256=D1FF12F0454E6F4DC12E27D6785BE2613AEE533F57EF42F3888657B605DFEE77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033256Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:46.942{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D2AA795C73822BD6F2BA97DB09FB404,SHA256=EA54A0CECCEE47B9A78789CDF745577A2D5946EB85D82F7E6A06BB3B422CA96C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017406Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:46.468{49C67628-0F16-615C-DA02-00000000FC01}30761220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017405Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:46.281{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-0F16-615C-DA02-00000000FC01}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017404Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:46.281{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017403Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:46.281{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017402Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:46.281{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017401Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:46.281{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017400Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:46.281{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017399Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:46.281{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017398Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:46.281{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017397Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:46.281{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017396Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:46.281{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017395Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:46.281{49C67628-FDEB-615B-0500-00000000FC01}416432C:\Windows\system32\csrss.exe{49C67628-0F16-615C-DA02-00000000FC01}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000017394Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:46.281{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-0F16-615C-DA02-00000000FC01}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000017393Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:46.282{49C67628-0F16-615C-DA02-00000000FC01}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000017392Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:44.203{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50567-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017391Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:46.156{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2945281289277104C7959B2B6F0C4B3,SHA256=20E96C1B5C741D4B08079D9698D556AC045A2F69C22760B7928BA6B9ADD8046C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017390Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:46.156{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E24968CC31EF9518C19CC93498AB4A4C,SHA256=007BBBEF698709FA33774396435B57163B99DE643445456ED4E5E8F8E771CB87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033258Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:47.958{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=545E83358F31B53F7CACBF1F09BA9A78,SHA256=C93797861FD888F415CB69DD2CAEBF3DE0F5785EF123C0038B1F3C72C953FE53,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017421Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:47.953{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-0F17-615C-DB02-00000000FC01}1620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017420Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:47.953{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017419Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:47.953{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017418Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:47.953{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017417Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:47.953{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017416Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:47.953{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017415Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:47.953{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017414Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:47.953{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017413Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:47.953{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017412Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:47.953{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017411Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:47.953{49C67628-FDEB-615B-0500-00000000FC01}416432C:\Windows\system32\csrss.exe{49C67628-0F17-615C-DB02-00000000FC01}1620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000017410Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:47.953{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-0F17-615C-DB02-00000000FC01}1620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000017409Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:47.953{49C67628-0F17-615C-DB02-00000000FC01}1620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017408Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:47.328{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84658650EAA1516E3E69BABEE28D72D6,SHA256=C48082A60BE62555D95043CF34DDA191B31F835C90430506ED52485CEA3C95AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017407Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:47.156{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B0C73C43B28E259B3A8A1D0FF5D8C34,SHA256=9086B154F4752C418FCAE893AC0FBB41503585A288DE648C4DD6D84642727063,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033257Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:44.758{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52329-false10.0.1.12-8000- 23542300x800000000000000033259Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:48.958{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=745CB54A92633CACC1DF77E2BFA6DF8C,SHA256=C1CBB21FEF92B08C7A9ABB19CA5882C413164C47988C992F8D79F437DC0AC395,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017439Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:48.968{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CECDB756EA73FF4BD3E24C5278E44D7D,SHA256=6751322F619DD791B46734E19F8606F5DADFBB7247C3B7124E4715472B4297D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017438Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:48.718{49C67628-0F18-615C-DC02-00000000FC01}40683840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017437Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:48.562{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-0F18-615C-DC02-00000000FC01}4068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017436Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:48.562{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017435Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:48.562{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017434Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:48.562{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017433Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:48.562{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017432Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:48.562{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017431Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:48.562{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017430Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:48.562{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017429Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:48.562{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017428Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:48.562{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017427Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:48.562{49C67628-FDEB-615B-0500-00000000FC01}4161032C:\Windows\system32\csrss.exe{49C67628-0F18-615C-DC02-00000000FC01}4068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000017426Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:48.562{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-0F18-615C-DC02-00000000FC01}4068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000017425Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:48.564{49C67628-0F18-615C-DC02-00000000FC01}4068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017424Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:48.218{49C67628-FE68-615B-9F00-00000000FC01}1772NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=77A3FAE6E3D081057742F67BE17D48F0,SHA256=B45196262D41012541FDA928C2D6D89C531ACA10A8054FE8E2047913CDE27561,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017423Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:48.203{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9004518D3FDB2A68E92365FF008DFF3,SHA256=384DC949E8718D9B1A19EA4621D53A1C0A56219EBDF309D77D42C78FF468C540,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017422Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:48.140{49C67628-0F17-615C-DB02-00000000FC01}1620172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000033260Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:49.958{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AC2CC6AEAAF3EF3DE43D05DF33C2A73,SHA256=F3B3320ADC0AAE0E07C6969A857392CCD5D7856DA5A839A3D85B42AB7C44D721,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017453Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:49.234{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74F7EED38B0C3B97B764C131BD849D02,SHA256=3B8925FF8AA5D64B0687F432EF885E57D1CD78B2947103F849E9D46B68B36FCB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017452Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:49.187{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-0F19-615C-DD02-00000000FC01}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017451Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:49.187{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017450Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:49.187{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017449Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:49.187{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017448Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:49.187{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017447Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:49.187{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017446Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:49.187{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017445Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:49.187{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017444Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:49.187{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017443Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:49.187{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017442Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:49.187{49C67628-FDEB-615B-0500-00000000FC01}4161032C:\Windows\system32\csrss.exe{49C67628-0F19-615C-DD02-00000000FC01}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000017441Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:49.187{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-0F19-615C-DD02-00000000FC01}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000017440Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:49.188{49C67628-0F19-615C-DD02-00000000FC01}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033262Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:50.974{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D0FB4D8BDA43E09EBFC3C24665C842F,SHA256=18B684A9B980472EBFE3C2E1BF250037BB13E1133472F207B3C1FE42170330FE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017456Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:48.267{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50568-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000017455Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:50.234{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D6A7284F083D88C65A523CFB07AEB45E,SHA256=29D4F4BFE3B6D555DC1428D8FEE04BE20138AE85E8C6804295501DEA890DB938,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017454Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:50.234{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57AB4F728ACFC8AE393A635C52B5228E,SHA256=C20E60DA5E9A50111957C1A7ECC240D96AB0F5C3903B75BC39A4B8895A0144C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033261Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:50.802{6EDEAD03-FC1D-615B-1200-00000000FB01}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=E72DC919035C538121B08D34D5D9671D,SHA256=DC021B40A1C90B224D30C3EB29BCF610C1B405642B5CC4FA307D1E96155520EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033263Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:51.989{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=611A6632BF4477C1B7F9D75158461622,SHA256=CCF60EBB8603954C1D8172C248190D89D6B058FE7B221B6DBA3B767A531877C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017458Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:51.234{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=270A91FC38FFD26AA7105BDB36150338,SHA256=8352D920FE40CC67142F79D64C895A32CA770CA58E208F040F6057AA0B189814,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017457Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:50.171{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50569-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033264Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:52.989{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8D1A2E6B9D23A3C9AA072A54EBA0F1A,SHA256=30F04F54D68EFC05D61E4E8E70631F68AD0CA92793D297FC8B0D07E869932F50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017459Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:52.234{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=454F8FA3E400A2A0778F5540E336D925,SHA256=A555CF6775E50BF5273DA9C4013EF172851ED4C32BB62C7B0A8AFB72C57D2906,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017460Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:53.249{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D08D90590261F707010ABE937892BCCD,SHA256=296D7B696FDCFCAC7327A90DA422B1E689FB518348729C765F4956FFA0418BB6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033265Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:50.714{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52330-false10.0.1.12-8000- 23542300x800000000000000017461Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:54.249{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F0AEF84E31C83A213A12490447510B1,SHA256=2834E726419FCE32D951B0325371A42D1F60E4211563D510F45F5E34C6E48053,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033266Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:54.005{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73C9FFEA08FFB8A9F9FD3E478CAD6292,SHA256=FE8AF8958237C0CF69D1DF26F8A86BD7214029AFDFA4DD5FE6AC1E81B750BAE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017462Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:55.265{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD9EBFB3C4988BDADE0B8233EE2F3C4E,SHA256=921EC7891E9D0CDB4B3B0D722EF0734EB09E68802F4DB1AC020CBCD81EA0C33F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033267Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:55.036{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3B3EB38CB53410E52592ABDE382F863,SHA256=19972A74D89507E432AF4FE71EEA1013005CB47D1C6700BB4B5E2C0DBF53AFF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017463Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:56.281{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82E85067282C0F7EB7707B7140EF566D,SHA256=F9D23136939451B7E2F4944AD50BC7F7D30E51D038937082297E3294502064FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033268Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:56.083{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89CD38A39FC43F51841C6E77E8B004FD,SHA256=7DB15320121E69497E5D39DAB783F87DA43023943D3A9D1361995E5BB0EE9D76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017465Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:57.406{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A09C3AAFDAA98B93A6638FB1B8158885,SHA256=75AB3F23715E2CC6E5DC3B501CFDD904393344AAD323FD5E0D773CD9357B5CDD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017464Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:56.186{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50570-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033269Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:57.286{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63DBFDB0935A119CE3F821E410E2C043,SHA256=7C0217E14813E7F3B67952BAEEE4E6BDF64EA9F3742B0CFAE016F8C75606EAE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017466Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:58.640{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09BE3E2A5AC2FE28A91B52397D69F56B,SHA256=0AB209B161B83FFFBEFA04CCEEB2B3B25427FE39C591B2C48C7BD50C86F30DD8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033271Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:56.633{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52331-false10.0.1.12-8000- 23542300x800000000000000033270Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:58.302{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC1AAA099BC4B7E193D81DC6DB12ADAC,SHA256=94CE358AB3AB9782AFB97C0FC69BFDEEB0DACB255FAF0588A98D96A452309E4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017467Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:38:59.655{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF774F983F377ADFB2A88900C289F2AC,SHA256=49CE869D67E94B5D9B47CAD11FC509DD5E96FB2B94ADB6F2F9191EE1D0E62753,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033272Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:38:59.317{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2716F6A12889C2EE64C5716C3B56779C,SHA256=2C6912DC534A54C29BF6704DC6146B4E7A34D3F6373BFB64ABC72E7C31D00693,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017468Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:00.773{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC28E58423CB22A6DA1FCB135578BF98,SHA256=2B3FC55112C8A5340AD8D37086C830AC25E7515905FAED6299911CDF7C4D7B43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033273Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:00.325{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D3DDED289A3A6BB8B482F87988E472A,SHA256=65DB6DA044E1E50394FF608E605AEC54A096C076659B2213DEC1F0F4C18E5A90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017469Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:01.804{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CDE46CAE197303C629203DC2ABF97C7,SHA256=EE8B1A69594A9D340C39EE4C329635DC5B9FEC7415594081E7BEAF6AF98015C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033274Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:01.341{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A58FD08CB34E1DE5718AEC92DDC5A44,SHA256=843C5E5960DE0FD8A0B333EBC9FCE0765A6454175F9BBD240B3F350F30F8FAF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017471Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:02.882{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3FC61B435FEB996BA5D1411157C294A,SHA256=7BC28A6652885CC3DE5A656E42FF46CF72CC860E1D3D5E0CA07C30FAE32CC80B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033275Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:02.372{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FC334A295AC47E206B7EC8423159B62,SHA256=334B3E808BE0436236FF6D1197E3AA69FCD23ECF9134A7424205C458F5746A57,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017470Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:01.241{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50571-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033276Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:03.372{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A86AFBD9D97A2C929DCB74B2C1B8496F,SHA256=3248074420BAD6EB657A5BB7BA1ABF965B125CF6CE1ABB32CC9897F6F6C96935,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033278Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:04.686{6EDEAD03-FC2A-615B-3000-00000000FB01}2280NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00ade5b11017bd16f\channels\health\respondent-20211005071805-078MD5=AA6F78CCC35FD74424B933C975A9F779,SHA256=482DFC86E7C4A11E76E3E352EB64B396C84C083D9F57F37823883232EC55A225,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033277Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:04.419{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=107521E16D44B841A75B93EA836831D5,SHA256=190CAF7D6403FA7AEA35548B5A480B0B9088622D7EE7E8BE76F7CD663C2B256D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017472Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:04.038{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F07548D930E637D20DF14D2CE5AF445,SHA256=75A7C6867503362668FAA796B1F8B12F84A3D39C5291AA4A0DBBB50E426C2985,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033281Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:05.701{6EDEAD03-FC2A-615B-3000-00000000FB01}2280NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00ade5b11017bd16f\channels\health\surveyor-20211005071802-079MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033280Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:05.434{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E9C0C67E87F8BDFA92B192F65290E02,SHA256=FC7212C1F57CF364F7D85452D84DAD37BA2099DBB4436D3D553F8A1C6DF8E2CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017473Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:05.179{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AA8E7BE178FAD441EB65473C13BE550,SHA256=CFECA2DE4C2957FB06F0D7678CB02670EED943175B3DCF7F6184D9DE368EDDF2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033279Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:02.656{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52332-false10.0.1.12-8000- 23542300x800000000000000033282Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:06.451{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C5E60BFE99EC8F3272B71D1A7BBA12F,SHA256=A5E891B0F25F26D44030980B2A749A5116D995D2213B4BA930FA4E781F0157B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017474Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:06.319{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2023FA808BFDA00CA751CFFC881D2A65,SHA256=48E840D8424216138E0C785250A2AEE831FAA50716C7726B0E850528E429B974,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000033284Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 08:39:07.935{6EDEAD03-FC1D-615B-1100-00000000FB01}480C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b9c4-0x76401693) 23542300x800000000000000033283Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:07.467{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7E7C96E18DF02FCDB0D3EB5F5E9CAAD,SHA256=1891B35CC682890E926B609664E5ACEAB5645185646ACD206301D8450D57BE35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017475Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:07.366{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7247C34785E38E4452220EACCE02A6E2,SHA256=6C62893315E28A0C49FB9C1B8D7A51C79EEB9F0707203700EB4E5881B2508678,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033285Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:08.498{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13B1B4993EA9EC52FB40EC18F9E5B28F,SHA256=8D9A6329A7F511C45E3776A87F6314BEA0AED3DB173839BB3E438037E74DF383,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017477Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:07.147{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50572-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017476Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:08.366{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E29F68BBDEBB7F69F76D496819129516,SHA256=1DB9B1B1E21D88E05C87F3D8573B475DED78476C00DEE60B38549F4A22291426,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033286Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:09.513{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C8843D84DAA01496FB279ABE53C49CB,SHA256=9AEAD33E95E549B59DC07B705ACBE52ADB9082C063D7E34D5F1CA29C0FE776F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017478Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:09.382{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E334F27621473EF72659DC87055B74BB,SHA256=E96B5B7215D123F5B190E2FD7260AA0A6F060C288B0AAC770EFB90C3D0428214,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033288Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:10.592{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8471A848559BE9620C8A50989B5229FE,SHA256=A918D6629803D9AD33B0B515A5A1485660B440F0F3324AB59657BA26BE6E6795,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017479Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:10.382{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B579D8B32314281679904EA2EF90CDC4,SHA256=A7DACCDB7C79A858E0C6302FC22B1B650C2DD1AF86479CAE6C2CA940E8A6BFA3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033287Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:07.798{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52333-false10.0.1.12-8000- 23542300x800000000000000033289Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:11.810{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AC1FD6A83E62E53B7583F743D0690D4,SHA256=5ACCA03B0D4E4B4F5E4824EAF6474D7BD8F153AB692FDB085A545187CDB326D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017480Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:11.398{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53CC53170A0C5E73655BE5EECDC8A460,SHA256=D0218DC157A0266C8BF4329D106729331B01DBCC469B049397BF8E457DC271DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017481Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:12.632{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A161D041474B692D00BB8C55039764F,SHA256=B3702D6611691703CCA775639C59CBD026E0868A2360561B1C97B2706848F7A5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017483Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:12.163{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50573-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017482Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:13.679{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E32751BD5F4DCCBFC90C1AD007B53C8F,SHA256=4F7A753D4E8D7D7BF842FD9005814022C7905D6C451F0A74A6C0E664E2C5DA23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033290Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:13.029{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2351D2ED033A9E70FA25E54208615993,SHA256=54A8F4E70103A5CC98DE39A24B687DAF67BCF0F377EF536D92C9A616388443BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017484Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:14.913{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=199B121E2CCAEC5A35D93A22CBAB22BB,SHA256=684CD8404F83839AD65CE9FFBCD4494F79DF008E79127CC0A82CC0702CD5FE1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033291Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:14.060{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4FBF28BDE7E4D46ADA0551807C8C993,SHA256=6BD446E25641A5A9D5E17225C5438DBE79A59868B39B598C8A36B7C48D876884,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033325Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:15.404{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6E-615B-2103-00000000FB01}5980C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033324Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:15.404{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6E-615B-2103-00000000FB01}5980C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033323Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:15.404{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6E-615B-2103-00000000FB01}5980C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033322Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:15.404{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6E-615B-2103-00000000FB01}5980C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033321Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:15.404{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6E-615B-2103-00000000FB01}5980C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033320Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:15.404{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6E-615B-2103-00000000FB01}5980C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033319Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:15.404{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6E-615B-2103-00000000FB01}5980C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033318Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:15.404{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6E-615B-2103-00000000FB01}5980C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033317Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:15.404{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033316Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:15.404{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033315Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:15.404{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033314Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:15.404{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033313Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:15.404{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033312Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:15.404{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033311Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:15.404{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033310Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:15.404{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033309Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:15.404{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033308Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:15.404{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033307Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:15.404{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033306Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:15.404{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033305Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:15.404{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033304Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:15.404{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033303Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:15.404{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033302Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:15.404{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033301Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:15.404{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033300Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:15.404{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033299Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:15.404{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033298Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:15.404{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033297Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:15.404{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033296Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:15.404{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033295Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:15.404{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033294Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:15.404{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033293Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:15.404{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000033292Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:15.076{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BE0DAE390FF7510E79FAA9E5C423124,SHA256=214D40B0C52FF561B60A76FF9DDA22F7BB57043CE259034EF6E920DE97C7349C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033327Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:13.813{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52334-false10.0.1.12-8000- 23542300x800000000000000033326Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:16.232{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C03997636F8F64FB336DFACFA49B9B23,SHA256=873B198C7C010A1EA7211F6B9B7EB54F635D22ED0EF56BCE2724CB13C00D449E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017485Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:16.069{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52AD5E483176D1ABB52CF5C1DC0C076C,SHA256=7409B5382080AA284558B91EFA8E2DCF9694BE78C9457DF6868CF14E4B366DD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017486Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:17.194{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86D294309716940055791B888679B411,SHA256=B9229B2B99C9FF32E3A5FB84B489C41784CD3D4561CC04D92A6958FE693CE59A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033330Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:17.810{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A2FA241B849BED67B5C84B5C14537EC9,SHA256=348466E6F4D8ED43DD638E8D160DE176853AB1B73DA0F374E98942797A46A8FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033329Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:17.810{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1BD2AC19EFB1F605699A8FE2A827C156,SHA256=C27DD556CBD1B3B58C85CEB6ED74C526903A4EE2EEEFF3834D0FE0C787ECA02E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033328Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:17.232{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E03C98BBD98146C0CF74AA0506CDF9A4,SHA256=F58AC5C76A60E4265F499DF28FB6EBE4026487F9A29607CD2ADA6731FB1DB76A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017488Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:17.194{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50574-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017487Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:18.429{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=493917DD928833E7ADA0B30050F31EF5,SHA256=D74C032EC1692A70C266B90CF06A5C7837399385A66309077E9148D72412F428,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033331Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:18.232{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0579EED64050AE9C80D228E045CB016,SHA256=2DBD82DC30E8A807234FCCFDA7397516D581B85C3C80D0AAF1DD1822CD172151,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017489Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:19.476{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88B922D88967698C0F00161FCAF3D3AF,SHA256=8A64F5CB38A2DCC97543CF645E2062FD89F4187E6F3B317A4DD634E2522BC4F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033334Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:16.407{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local52335-true0:0:0:0:0:0:0:1win-dc-676.attackrange.local389ldap 354300x800000000000000033333Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:16.407{6EDEAD03-FC2A-615B-2900-00000000FB01}2912C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local52335-true0:0:0:0:0:0:0:1win-dc-676.attackrange.local389ldap 23542300x800000000000000033332Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:19.248{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9186836533E2775918632CED0ED4E96C,SHA256=E08321212BC2C04957A7815E526FE7324C62BF5099E4224BCBFAA7D645DE0EF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017490Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:20.476{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12CE30F25E3FD44F32ABE147DA128747,SHA256=9E427E6BA262C00F33B277B6406D0D64D621116D120E1A74EF41C074C8DEFAD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033335Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:20.263{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D30BD7DF87A709020FCC9A9B49117127,SHA256=FDD11DA832CB49463AF08E71CD2BDB6C391F0D22F72313561E47AAE9E5D15FA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017491Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:21.492{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DF67EA27444EAFBA3E79B5C5B74CF10,SHA256=917DE6DBB8444EF9E8A18AB7C197AE9EAAE3BD7E3BF8E384DF02CDEF24A8E3A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033336Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:21.263{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28507DBC1F7CF3A83D18EBB259F0C568,SHA256=7AEA494822ECA62445C2D10CED14F3BE45A3D1093E64A6608F4AF60A82F2E21F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017492Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:22.726{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12E1F175D22B09E811FD34249603FDCD,SHA256=DECDD902CCC69B2CBB86173D095B3B1518F63915FBB83D0DE78CB613DA1EB6C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033338Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:19.750{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52336-false10.0.1.12-8000- 23542300x800000000000000033337Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:22.263{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A73DBC33863BEBACAF689C55EE92A40,SHA256=0F4F9961CEFFD2AA91CE1E364263AD13EA336045784157721B131EC4DD44FDDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017494Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:23.962{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6423ECCEE5DC2069DFDDA3F539BF206F,SHA256=D19A1242275C3C9FC889C1B4A056CA58BDA10F27776522AD030BE6A17AEE6453,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033339Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:23.278{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ABDEB6ACCEA0A48C5338BACAF392017,SHA256=BD475E63C498C6D01983EA8BF897AF76841B7783ADEAEFDAF28EF21E635E151C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017493Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:23.340{49C67628-FDEC-615B-1F00-00000000FC01}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04b3958ebc31dc11b\channels\health\respondent-20211005072534-071MD5=9DBD3CF651CAD1963D7DD9E70795396E,SHA256=D00FE5240C0E39CC33FD8ADFFDA13197E8833401D0A3D05F731F6A79B8E00229,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033340Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:24.278{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F6E6D942CE085A253EFE7113279700D,SHA256=D6BDD3B1BD3A6B6DE22539F97E38AB58AF1985873030F089B96C48804DB8175D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017495Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:24.354{49C67628-FDEC-615B-1F00-00000000FC01}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04b3958ebc31dc11b\channels\health\surveyor-20211005072532-072MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033341Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:25.294{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3726F04E573C98A5476C44AAE66A74AB,SHA256=8C97B2883CD2401EA86B93B74940E267FC0761828B3A24D71DA9EBEE6EE72518,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017497Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:25.150{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E509D69EC0ED6F2F12646833776F8583,SHA256=19421EE9BFB36DE03E6E285090310FA267EEDEE24C5B824A9DD7120F77865E5C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017496Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:23.119{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50575-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033342Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:26.294{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CA87ED9A58B9AF1EA142776DB676154,SHA256=E9CAFF80315032BEE2A3D791D425916D57437532F8222AF31017B2EF412B1F1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017498Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:26.368{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A06DF1F2B8063F3F97AC25109E041BAA,SHA256=08B8C291BBDE6D7CA95F6C7B9878791AFD2799DAD735EC26C06B962B6FCE30EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033343Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:27.310{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=764BBDD789EB2DA5206AC64C1CD58F47,SHA256=F77537B34E694D40F330B5A1FF79308710C29FE3C2819B7334CF23F427BCC550,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017499Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:27.447{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=447080AC8EB05DF30409A14F9D6C16FA,SHA256=352741CFBE956A0441FD3A39BF1654E9E0A4ACA1F875AA830678D55C34A64CB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017500Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:28.556{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E66955153F0583C631FEF6ADC7D5AF3,SHA256=F86E31A8C9B687972F805542107C906A705E4A665340E1C3B88DE38BC71D99FE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033345Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:25.734{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52337-false10.0.1.12-8000- 23542300x800000000000000033344Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:28.325{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD5EFFC2A707A51E2D19CDC6E6F6E465,SHA256=CECB75BB05071C19B23FEC26421ECF690719039748B853BD4A5D947DCC22D7F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017501Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:29.571{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6301D5178D2DD0CB20C948C77B974DB1,SHA256=947AB6099B7AD46E7E647F3A6B340BD5B4BCAD00ED9D6698AB4C2CF6576ED963,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033346Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:29.341{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B38EE9E1328DE16E6E5085A13FD4966,SHA256=89C32A8E798A9D1A612A14117DCAD3FE6B670EEF38D481B430E3451C5191AE9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017503Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:30.728{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A38DC4237BD6676A67353A382CC8D67D,SHA256=CDB7EE85CFE89FED4BFEE8854FACDF651B965D7D9CBC0671A7ADFB4ECD3C4AAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033347Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:30.341{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5FA28A3E8FC8E83B8B5EE79779B6A49,SHA256=91143148376F68DC674C7D6D3FC8D5BEB67451746187702A7C63793FE4C75C10,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017502Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:28.259{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50576-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017504Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:31.962{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39927FC7613C7B4F277AE1745C0F3683,SHA256=E4A84580C210E3953D38C8DC19565186DB33A22C3A3481775AB8071256140FA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033348Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:31.341{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6937C2C7B9DD38E41E4DB36BEAAEC1FD,SHA256=0262D4AF46A24DB96E47D445C236354E982C68CA2499717FDE4BB865461DC164,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017506Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:32.962{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD7457874C042D86CF736203CD3D8795,SHA256=DEA215DEB31A401CE355077A4875BEC041DFB2C56C1A7368B05AF5116CB756AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033349Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:32.356{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9718A900262EB031F672EE7D9E600CE3,SHA256=F8BAD082EA7B23989D593898C36269E813E69C61A37F746782CE9676BD6252C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017505Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:32.571{49C67628-FDEB-615B-1100-00000000FC01}964NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=E9213DF7836AECE4067BEED1953AE4A5,SHA256=782BDC2901CE139EFB0A6A9025ECA712157C5DC465D61DB801485AE0FC11A20F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033351Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:31.719{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52338-false10.0.1.12-8000- 23542300x800000000000000033350Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:33.372{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EB5B9F7A66A218594761BEF385F2A73,SHA256=786C99166768DE6DC9331BF014C8D0083B820D848D41489DF931D32F7611DA48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033352Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:34.388{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7B06B5D942499CE40812079A3844BDB,SHA256=125B29AC2643443127493FBEE666C38173AAB9C00A39612C103475BE686C46EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017507Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:34.181{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AEB594A37E1CD633060535AF0C7EB9D,SHA256=DC3042A4F54EADBEE4DF3A1F4BADE3EF6F3D1F0289CBC8E384D8749AF97D319D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033353Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:35.403{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49791B7028D747638471873049241E44,SHA256=727D090DB39EE86645A5A64AAF1720F3160A6261071F992D42C6234B135577EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017508Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:35.415{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F669A51186B5B89DF8D62BC354F7DD5D,SHA256=45589F8C88A207134101CE561DA20E609D43715BD68FFBAB155E1225968F501D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017510Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:36.556{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEA832FA5D85836353500D2EED462684,SHA256=9069F9BD10B50484778F815F403D2E94FA781F859CD8C8C066351451E3A9D101,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033354Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:36.419{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F30C1AB994AE1EE5070EEAC2C8B4D8B5,SHA256=2ADA10FC6D7F84D92822C8D38AA9682A4CDC485E7D9A7F43A8477B7EEC070959,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017509Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:34.274{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50577-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017511Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:37.649{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A041EDA30A3505C4F89BDF81D5CDF4C4,SHA256=105ED62F1AA5715633EF0B2CA84A26119A0F2CE60058F833CA50971D0AD66119,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033355Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:37.419{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD1361EFFF83516B7FFAB30F372E645C,SHA256=B3100ED31D903516A1F6D5F044215FB41C89BFBD35694447784C328D16DECF1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017512Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:38.649{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=266444B5DE48B99845EC9DBFEE750B21,SHA256=F8621D283DB14103FFEC7B0D50189282F176F02EFB05568E5C8F195FE8E664C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033356Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:38.419{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E00CED057FE4C6D4AFD2BC7D42AFF88,SHA256=3A143AC697376E09137AC97C57B709D860F2BF390A1DFF2AB7C4E7C759141143,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033366Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:39.960{6EDEAD03-FCBF-615B-AF00-00000000FB01}416NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=77A3FAE6E3D081057742F67BE17D48F0,SHA256=B45196262D41012541FDA928C2D6D89C531ACA10A8054FE8E2047913CDE27561,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033365Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:39.450{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-0F4B-615C-BE06-00000000FB01}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033364Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:39.450{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033363Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:39.450{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033362Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:39.450{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033361Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:39.450{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033360Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:39.450{6EDEAD03-FC1A-615B-0500-00000000FB01}412428C:\Windows\system32\csrss.exe{6EDEAD03-0F4B-615C-BE06-00000000FB01}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033359Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:39.450{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-0F4B-615C-BE06-00000000FB01}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033358Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:39.451{6EDEAD03-0F4B-615C-BE06-00000000FB01}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033357Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:39.434{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2940B66B67ACE7E22CB221A519C51E84,SHA256=E8380D5AA28AB288393F5E35CAC7386C93CF92A51E84113FCC05308D7FF8A5A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017513Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:39.649{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0426C86C10E46C26B265DDE4CBFD4A64,SHA256=000B20C436BD7E2B3E61C2A9D2692D96199250088EF0042C52C86483AF4E6291,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017514Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:40.658{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=322C32BDA699B1DEEE117EA79555A8A4,SHA256=160A524D52EBC172FEC6CBCD2F608B556325770C7DC21CF017AB9E6B9B9A47EF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033387Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:40.788{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-0F4C-615C-C006-00000000FB01}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033386Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:40.788{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033385Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:40.788{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033384Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:40.788{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033383Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:40.788{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033382Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:40.788{6EDEAD03-FC1A-615B-0500-00000000FB01}4122304C:\Windows\system32\csrss.exe{6EDEAD03-0F4C-615C-C006-00000000FB01}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033381Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:40.788{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-0F4C-615C-C006-00000000FB01}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033380Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:40.789{6EDEAD03-0F4C-615C-C006-00000000FB01}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000033379Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:37.719{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52339-false10.0.1.12-8000- 23542300x800000000000000033378Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:40.522{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DB6A0DBD6FE231AB913760FDF92628B1,SHA256=76B46BCC63D2AF6B57A2B47FFE91E9024EF7055EB2D77C38F6CAA80E5DA5B4FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033377Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:40.522{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A2FA241B849BED67B5C84B5C14537EC9,SHA256=348466E6F4D8ED43DD638E8D160DE176853AB1B73DA0F374E98942797A46A8FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033376Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:40.444{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D14FC51B875D47066434AC21888269B,SHA256=38335BDFCC856CDBE9203B97BEB3F378E24D2AA0DB80B0D007A6853B3AA3F8E9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033375Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:40.272{6EDEAD03-0F4C-615C-BF06-00000000FB01}63564956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033374Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:40.116{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-0F4C-615C-BF06-00000000FB01}6356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033373Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:40.116{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033372Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:40.116{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033371Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:40.116{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033370Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:40.116{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033369Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:40.116{6EDEAD03-FC1A-615B-0500-00000000FB01}412528C:\Windows\system32\csrss.exe{6EDEAD03-0F4C-615C-BF06-00000000FB01}6356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033368Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:40.116{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-0F4C-615C-BF06-00000000FB01}6356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033367Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:40.117{6EDEAD03-0F4C-615C-BF06-00000000FB01}6356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017516Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:41.751{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24981E2D74B6ACC223C71D28C3750A51,SHA256=5FDCB8B5713573D21D6FA4A8791441B4676154CCF1E191067E68D9568EAC2D24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033390Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:41.803{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DB6A0DBD6FE231AB913760FDF92628B1,SHA256=76B46BCC63D2AF6B57A2B47FFE91E9024EF7055EB2D77C38F6CAA80E5DA5B4FC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033389Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:39.541{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52340-false10.0.1.12-8089- 23542300x800000000000000033388Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:41.460{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=899803598A9FF5751364A7AF7FBC8956,SHA256=34DFAC45EEB512F7571148007A2076D5B0F6C1DB6DAB618062F539C84464DEB6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017515Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:40.204{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50578-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017517Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:42.876{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D98DEA6C5D281CD141F19500C1B038F2,SHA256=284E990B59C4311D897E376EFB9F3B436F32EE9DC7BE576C2B41FB271B6F5882,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033408Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:42.975{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-0F4E-615C-C206-00000000FB01}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033407Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:42.975{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033406Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:42.975{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033405Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:42.975{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033404Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:42.975{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033403Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:42.975{6EDEAD03-FC1A-615B-0500-00000000FB01}4122304C:\Windows\system32\csrss.exe{6EDEAD03-0F4E-615C-C206-00000000FB01}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033402Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:42.975{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-0F4E-615C-C206-00000000FB01}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033401Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:42.976{6EDEAD03-0F4E-615C-C206-00000000FB01}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000033400Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:42.725{6EDEAD03-0F4E-615C-C106-00000000FB01}52685988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033399Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:42.475{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-0F4E-615C-C106-00000000FB01}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000033398Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:42.475{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE996C5833075FBB1976FC1A3C57CD18,SHA256=E4DC67383E39C31A9E97F482E0882ACD15C2C5D02D9B72C01EAAFC04D0BC81A8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033397Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:42.475{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033396Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:42.475{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033395Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:42.475{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033394Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:42.475{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033393Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:42.475{6EDEAD03-FC1A-615B-0500-00000000FB01}412428C:\Windows\system32\csrss.exe{6EDEAD03-0F4E-615C-C106-00000000FB01}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033392Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:42.475{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-0F4E-615C-C106-00000000FB01}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033391Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:42.476{6EDEAD03-0F4E-615C-C106-00000000FB01}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000033419Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:43.647{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-0F4F-615C-C306-00000000FB01}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033418Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:43.647{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033417Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:43.647{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033416Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:43.647{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033415Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:43.647{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033414Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:43.647{6EDEAD03-FC1A-615B-0500-00000000FB01}412528C:\Windows\system32\csrss.exe{6EDEAD03-0F4F-615C-C306-00000000FB01}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033413Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:43.647{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-0F4F-615C-C306-00000000FB01}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033412Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:43.648{6EDEAD03-0F4F-615C-C306-00000000FB01}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033411Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:43.491{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB54F589EA329E16AD7AED3E50BD74D5,SHA256=67C677277BD8DB83CD5BD8D17A3CB04DD7E565FC658DE7350E9CC3F8EA0095EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033410Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:43.491{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A23245E6BCBDF4900A11D42C69CA68D3,SHA256=ED951A231315D5B6B44DF5F88A7E9C7911A7D65F9DF216216426A410703A2293,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033409Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:43.132{6EDEAD03-0F4E-615C-C206-00000000FB01}64042288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000033430Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:44.678{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B5D5CA7C621DE098C4F4BDAF079CD52,SHA256=EFF7B6F2B2A829783027EB751A42C8258C12C0C5E04FC9273010254B57EE0DBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033429Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:44.507{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFE264CEC3E1653EED65BA9CB0159839,SHA256=806C77F72CF9174A0CE9B5880CA6BC31442BF6266A8476EEE1898382E3635354,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017545Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:44.751{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-0F50-615C-DF02-00000000FC01}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017544Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:44.751{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017543Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:44.751{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017542Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:44.751{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017541Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:44.751{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017540Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:44.751{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017539Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:44.751{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017538Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:44.751{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017537Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:44.751{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017536Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:44.751{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017535Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:44.751{49C67628-FDEB-615B-0500-00000000FC01}416432C:\Windows\system32\csrss.exe{49C67628-0F50-615C-DF02-00000000FC01}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000017534Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:44.751{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-0F50-615C-DF02-00000000FC01}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000017533Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:44.752{49C67628-0F50-615C-DF02-00000000FC01}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000017532Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:44.251{49C67628-0F50-615C-DE02-00000000FC01}25203084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017531Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:44.079{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-0F50-615C-DE02-00000000FC01}2520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017530Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:44.079{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017529Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:44.079{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017528Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:44.079{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017527Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:44.079{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017526Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:44.079{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017525Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:44.079{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017524Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:44.079{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017523Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:44.079{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017522Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:44.079{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017521Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:44.079{49C67628-FDEB-615B-0500-00000000FC01}416432C:\Windows\system32\csrss.exe{49C67628-0F50-615C-DE02-00000000FC01}2520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000017520Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:44.079{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-0F50-615C-DE02-00000000FC01}2520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000017519Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:44.080{49C67628-0F50-615C-DE02-00000000FC01}2520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017518Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:44.017{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4927EA6AE3448EDC45D711F2F6F22122,SHA256=D5E01BD8801BA942CAB4385E9615CC79B5FA06214ECB312F994049A892ADBA69,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033428Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:44.491{6EDEAD03-0F50-615C-C406-00000000FB01}59845372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033427Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:44.319{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-0F50-615C-C406-00000000FB01}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033426Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:44.319{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033425Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:44.319{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033424Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:44.319{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033423Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:44.319{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033422Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:44.319{6EDEAD03-FC1A-615B-0500-00000000FB01}4122304C:\Windows\system32\csrss.exe{6EDEAD03-0F50-615C-C406-00000000FB01}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033421Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:44.319{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-0F50-615C-C406-00000000FB01}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033420Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:44.320{6EDEAD03-0F50-615C-C406-00000000FB01}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033431Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:45.507{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=303B58FA623907596E5003244F913C87,SHA256=19B07C43B9704D58F01D036DE9DC8C931E017029E2EC67C1C5C719304323277E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017561Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:45.298{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-0F51-615C-E002-00000000FC01}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017560Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:45.298{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017559Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:45.298{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017558Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:45.298{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017557Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:45.298{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017556Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:45.298{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017555Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:45.298{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017554Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:45.298{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017553Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:45.298{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017552Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:45.298{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000017551Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:45.298{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7C41720DDE27647AB7A3B85F41D50A0D,SHA256=4678AEC21C85C0AAE51E39CC4424E8DB24B0CF9BF1D465FE1E24F64C08A62455,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017550Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:45.298{49C67628-FDEB-615B-0500-00000000FC01}4161032C:\Windows\system32\csrss.exe{49C67628-0F51-615C-E002-00000000FC01}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000017549Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:45.298{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-0F51-615C-E002-00000000FC01}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000017548Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:45.301{49C67628-0F51-615C-E002-00000000FC01}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017547Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:45.298{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28D855E4C3A6466237606A370AA57FF2,SHA256=0835A7979DE6E2803CB98EEF208395BE48399F6359EBBAA4175896DE41DE70D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017546Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:45.298{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=27B37FFBA8D63899A98756CD7E42930F,SHA256=CDA279D83EB0245195A9F404329CCBED071B05EAD5F6B5BFED0DDD4F9CDE08C0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033433Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:43.760{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52341-false10.0.1.12-8000- 23542300x800000000000000033432Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:46.522{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EECB312C70FF90A10DA936D3A98E6D84,SHA256=842670770C55A4DB3DC27E4908363C2CFA1DB8809C5D1A5556859956ADEB1E4C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017577Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:46.454{49C67628-0F52-615C-E102-00000000FC01}14762788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000017576Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:46.439{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=721808A358A40972495AD70C96294C88,SHA256=E6AABED34C2BEF2897D649CEC288D2CA55D61CDCE8ED52A7E43C20B1389309E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017575Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:46.298{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7C41720DDE27647AB7A3B85F41D50A0D,SHA256=4678AEC21C85C0AAE51E39CC4424E8DB24B0CF9BF1D465FE1E24F64C08A62455,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017574Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:46.298{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-0F52-615C-E102-00000000FC01}1476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017573Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:46.298{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017572Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:46.298{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017571Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:46.298{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017570Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:46.298{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017569Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:46.298{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017568Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:46.298{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017567Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:46.298{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017566Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:46.298{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017565Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:46.298{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017564Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:46.298{49C67628-FDEB-615B-0500-00000000FC01}416532C:\Windows\system32\csrss.exe{49C67628-0F52-615C-E102-00000000FC01}1476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000017563Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:46.298{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-0F52-615C-E102-00000000FC01}1476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000017562Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:46.299{49C67628-0F52-615C-E102-00000000FC01}1476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033434Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:47.600{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFCE646F18603EA7B36827EC63F9F910,SHA256=0C18A8F70E7D215D73587AB3CAAFCC802AE481A05FE57FFA4109A250C84ED34C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017593Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:47.970{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-0F53-615C-E202-00000000FC01}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017592Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:47.970{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017591Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:47.970{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017590Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:47.970{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017589Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:47.970{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017588Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:47.970{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017587Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:47.970{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017586Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:47.970{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017585Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:47.970{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017584Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:47.970{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017583Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:47.970{49C67628-FDEB-615B-0500-00000000FC01}4161032C:\Windows\system32\csrss.exe{49C67628-0F53-615C-E202-00000000FC01}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000017582Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:47.970{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-0F53-615C-E202-00000000FC01}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000017581Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:47.971{49C67628-0F53-615C-E202-00000000FC01}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000017580Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:46.126{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50579-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017579Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:47.439{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71C888B16916823CD6F1FCE74B13A79C,SHA256=15FCCAD1067A36445D0B9C5D1AD6E40BD86B1EBC8A338A41FA98BEA51BB58387,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017578Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:47.314{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9BB2F16C0CE66C324635B86E4E870C9E,SHA256=6619FBA8CE483DE4BFD8B2411ECD0172021FD43EC2CFC2E9115DA95A760B8E71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017611Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:48.986{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=90F20FFE9B5831E88700876746B43A94,SHA256=DCEAC49BD1D93649C2D6014428DA224FB781BA0B8A598DA3CE27C6ADCDF64CBD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017610Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:48.814{49C67628-0F54-615C-E302-00000000FC01}876824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000017609Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:48.720{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22FF9E475A70E53C2AAF731BAABCC658,SHA256=C45797E403EFC389F7214F3DEA91DABAC490EF37FC77F2BDB36DC1BF8C950CC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033435Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:48.632{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78887BC245BF2C12FBA8AD4280CD6B93,SHA256=C5B69D5129A6916820AC005FDEB08B0F818F4739CBA2134DDA321A29393E252C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017608Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:48.642{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-0F54-615C-E302-00000000FC01}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017607Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:48.642{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017606Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:48.642{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017605Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:48.642{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017604Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:48.642{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017603Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:48.642{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017602Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:48.642{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017601Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:48.642{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017600Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:48.642{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017599Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:48.642{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017598Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:48.642{49C67628-FDEB-615B-0500-00000000FC01}416532C:\Windows\system32\csrss.exe{49C67628-0F54-615C-E302-00000000FC01}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000017597Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:48.642{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-0F54-615C-E302-00000000FC01}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000017596Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:48.643{49C67628-0F54-615C-E302-00000000FC01}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017595Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:48.236{49C67628-FE68-615B-9F00-00000000FC01}1772NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=77A3FAE6E3D081057742F67BE17D48F0,SHA256=B45196262D41012541FDA928C2D6D89C531ACA10A8054FE8E2047913CDE27561,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017594Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:48.157{49C67628-0F53-615C-E202-00000000FC01}13884064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000033436Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:49.632{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46CDB10C638E2519D51FEC057266022D,SHA256=B64F7F8662EF35259B693A85F04208CA2A933A75A588A69F24F32F107EC85AB2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017626Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:48.283{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50580-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000017625Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:49.720{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56F4A38921F9928DD106387EDBDF9AAE,SHA256=531EB968574174FDFC8FAE6DCB040F67967D551C8262C305A2A6D0535DB83895,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017624Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:49.314{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-0F55-615C-E402-00000000FC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017623Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:49.314{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017622Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:49.314{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017621Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:49.314{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017620Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:49.314{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017619Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:49.314{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017618Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:49.314{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017617Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:49.314{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017616Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:49.314{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017615Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:49.314{49C67628-FDEB-615B-0C00-00000000FC01}728864C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017614Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:49.314{49C67628-FDEB-615B-0500-00000000FC01}416432C:\Windows\system32\csrss.exe{49C67628-0F55-615C-E402-00000000FC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000017613Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:49.314{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-0F55-615C-E402-00000000FC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000017612Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:49.315{49C67628-0F55-615C-E402-00000000FC01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017628Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:50.720{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE9DBB86475337CFA93AF653121FD9D3,SHA256=22A14F96F19F66F54E72B8EC5854B08194CF4C65F3BF520F6248E25D47C92439,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033438Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:50.803{6EDEAD03-FC1D-615B-1200-00000000FB01}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=077D14BA36F310B17690FC470CA3BA0F,SHA256=47FD06498180DFC7A6C1BE0F44823ABFB1ACFA96BC01611114CE20F123279D88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033437Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:50.663{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF787026F5A03F9BBDF2ED7099D17430,SHA256=FDBA688BE2DF3DA6BCF0974FFF6AF4E61A9D19F17828524561BAE038C892E9C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017627Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:50.532{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BACFBFCFB3661F0CF75F185DF8332CEB,SHA256=686FBE3FF49F91F7779B320A6E0244EA01C99BE18B6A13C11C43785C6A7CE4BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017629Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:51.954{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=012CD0FD22E3563237CD070D43C1363E,SHA256=03A78AF713268FFB55A5ABA73A541C99C50D921860999FD80DEB17537A9006D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033439Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:51.694{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F32EE015F39D8F00832CF0A1DB9BDBFD,SHA256=53FF1C12589BAEE922C1F61DD47D50B3122C51E63150360830BCA5CB4AE1054B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017631Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:52.970{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0725F1C5599B64AD0CFADE2C0A6DC2A9,SHA256=43E4C7D13FA70CC73A24CD1264FEF9FE5FBCED7EB8120C3140C2DE04EFEE96DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033441Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:52.756{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=749540CD3CD771A0102F6EA7E247CA28,SHA256=E700E8FC9EEBBD2E64F3903FEADFF13F955F9702E8BD7C2B87CE161174DD5624,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017630Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:51.142{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50581-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000033440Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:49.713{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52342-false10.0.1.12-8000- 23542300x800000000000000033442Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:53.850{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E98524D8895745E244CE72078F565C3C,SHA256=A08ED341292F4FC570823EB65CC189FCC6F21F51BBA636178BD9921740EB3BE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017632Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:54.079{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86C29E2DA4A7A34D060DCD14A6D4370A,SHA256=66D3E257A0CA6548D203D11B9D92249728F95969C8231FD90DFB5BF7772D09F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017633Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:55.235{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DE526BFD2EF69123AE338770F05F2B8,SHA256=0CEC5C0BE5C4FB51749B2EE12D93E4E01A57057C6B2EE0735A9AF8ACE1182E8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033443Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:55.085{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3286BA4176F543C497841B95CF48E3B1,SHA256=E928B8D72DD219404CF431C1BCB30A577D6689AF49335E93B66C9C1F3330FFB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017634Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:56.361{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DDDED488A6E7B24EE97FAD51E459A8D,SHA256=F2A2941F5E02A4CB7797E32FCCA8A22221DB471D630CFF0825D66430157CA76E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033444Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:56.100{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2E3CC8B052D195B35AED98C356E53D4,SHA256=CC57BCAB295D6E47C3B18A145F22AAF0CA5F7E8A29597EE39836167CC7889CAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017635Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:57.517{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42108FF9CBA29446D6305E7F0383557C,SHA256=41B06E8B1D39D9F5CAC728D3AEEE1D209C89092533E94D21FD5000ECF2E8CCDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033445Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:57.100{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCE5A14CA616FCB7826FDA50B420C940,SHA256=4DE6D84F30105F6603EE9B391098DB9D8E7F17A8BBD78DC3093364641C069510,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017637Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:58.642{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB5E5DD418A41C06DA66A0412DBBB389,SHA256=ADB00C199F7267B8AD837F0816BC9F62D032A53C64D9DDD8C5A6ED8A20918FE1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033447Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:54.775{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52343-false10.0.1.12-8000- 23542300x800000000000000033446Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:58.100{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B92C2A617D36A0B86DCD62EC53F86366,SHA256=B40969EADB033E7813981794E0F8501736D3B4F10EFD37ECF53ADEADDA02FC7A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017636Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:56.204{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50582-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017638Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:39:59.796{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92D085FF31E2A493DF17A31DC8B7BE60,SHA256=5C415FF7E8719D07B91F535BE126137F36458948EF27B9FBE79C22CB3AE7112B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033448Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:59.256{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84B8A0077A0856734587ACBC93F0EC93,SHA256=CCB46D8AEA0283FDD4C352741AF5B31E2B22382425466619A7CC3FAE8C43DFDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017639Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:00.812{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA9017D052AFE6B60F271B41EF3A1E8D,SHA256=5E1AE3B90B62C5610E87224A64C8B1D09CCC120165C11611EC46FBF352DBFC5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033449Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:00.286{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB3E9549A1520EE9B58340932BEBDBD6,SHA256=2685A226622DE1F7DE5ED4CAC7B561AEEF48287228EA20A50CDBD9EE0C8B24E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033450Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:01.286{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B54BB2CC3EB17BAAA492D4E56A25987,SHA256=01F9B7590B7F4190D96D23B8FE0B19EF3F7BEC3C0C85AC9F4C9703B78EC17723,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033452Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:02.333{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B9C6285EB53945BD8717A3A2F8FF6EC,SHA256=02923291DC99C99FD95860B40B4C0556C95F85031E54473C9704BA8950791D80,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033451Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:39:59.789{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52344-false10.0.1.12-8000- 23542300x800000000000000017640Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:02.046{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD3D084D23218471A86AA81DD27D77FB,SHA256=82BD04C9D12FBC8E3F3ADBFAFFE9ED8666C7D5E14FCA303437C90587690EAAE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033453Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:03.348{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E380C30F439D214787994895A6620E4E,SHA256=CFD9AAA5661D1D67523C16EBEB0D81F63140C6E8478CFC22B76EB1DC54040D7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017641Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:03.218{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D281EF47A4203B0708C075F702BC802B,SHA256=43D84BC55184B6C023DDD2B6586D5AD3BD719C85920EEFCF0BDCCF2C2F2245EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017643Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:04.359{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78D8A4C23056D33B4385ECA211B96E79,SHA256=81A39550ED800FE365ECE5A31ADAE912D29A6DF6084ED7B20B9B27C92BD173F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033454Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:04.411{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=913E16705B64E379892C0B267130C18F,SHA256=EAD40B51657BA44A9115C0E1CCF585AA0ED71A8047AA6A6F31F8D9D7351AD7CD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017642Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:02.219{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50583-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017644Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:05.577{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DF5AD90BC3F28406282732E6D6D2C10,SHA256=177872CD58FBE1CB1993321BB28394AAD8EFFD6B7FC8FFC2CE39D257BC8010C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033455Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:05.427{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54887912AD764817D124F53761B91012,SHA256=CCBB4B36BE9744DFCB68BAA29F375742B6F4FC4A1933E20B68C3333A400AB0DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017645Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:06.827{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A3F25AAC7292ACDF4276547FD6F35B8,SHA256=8C9E8A88F615781CAB190F71F6826FF2BF515261A9887A884A4677595407AAE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033457Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:06.430{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB218C6FC126E057C7AD7D91DA5774A4,SHA256=35B54B684F6EA9DD0A32124260EB448A26CB7876A25D52588BA7F8C70A4D0DC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033456Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:06.230{6EDEAD03-FC2A-615B-3000-00000000FB01}2280NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00ade5b11017bd16f\channels\health\respondent-20211005071805-079MD5=AA6F78CCC35FD74424B933C975A9F779,SHA256=482DFC86E7C4A11E76E3E352EB64B396C84C083D9F57F37823883232EC55A225,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017646Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:07.859{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2B1ADCC9920D76BA9DE7DA5C65F6C0D,SHA256=690EBE339B5209905B7CED2D124FF408A7E11C115E12D2780DC2B5A907B30D34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033459Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:07.444{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66271CAD0B34361815CEED71A4E9A788,SHA256=7F5F7D2C3510C792B3DE97B4515827EDD427D21A435A4E44731D2DA8D742CA66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033458Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:07.228{6EDEAD03-FC2A-615B-3000-00000000FB01}2280NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00ade5b11017bd16f\channels\health\surveyor-20211005071802-080MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017647Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:08.874{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D9C3219E63933A89217D92C3EC4AAC1,SHA256=ECC9CB4F3A2F486412EBEAB7ADD6E5F93EBE381734F0A5D745221BCA94D571D5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033461Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:05.759{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52345-false10.0.1.12-8000- 23542300x800000000000000033460Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:08.448{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF604BD9CAC9AC38D74898BAB6F2532A,SHA256=4C03206991DD766BE5A9BAA78A941C826FC9EF7F616D2BC1DFF2060686F9F48B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017648Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:09.890{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8808E471F5523F9B26C50B341B7942E2,SHA256=4F22FD1C8F400C8225AB404EC609331EEE618D43FA96B41D773C42438E431C65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033462Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:09.463{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6344E4386DAA58472BD6ABFE3028669,SHA256=D438840BAFECF9296C4AAC90A21EFBBC3301D3A4F4C908C9D6AFC2FC9335179F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017650Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:10.968{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7C28FC628F9DF347F85ECBD699CC7DE,SHA256=E57D1AF73A565B4DCFEBC190473B1D0EC179CE7F3416B2D8ACAB80AED49F8299,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033463Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:10.463{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=385ADBDB96F119EF4703F2153D76A8EB,SHA256=EC170BEF19F2577EA983BDF26EE4F4251238334B44EDC0B6D142525E85044BFC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017649Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:08.140{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50584-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033464Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:11.557{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D9B009530D42D72D59FD46046A1AB80,SHA256=76512D4CA1C37FEEFF414FEDE17A6207337F3A67E38C79010268DAF8F8A1FAA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033465Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:12.557{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50386BF04C1C410910E558C9BC2BC033,SHA256=C4CD2904638F30E92B62A1A938994995BE4C79ABDAF5BAA11220D35DAFC9C80D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017651Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:12.187{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F795C74429903244180300EBE55A813C,SHA256=3663CFB6855E2A3A0C847A76CF4466A38FCA9F8F7888B40CC7E753E2D5ADE326,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017652Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:13.421{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63C4708ECE0D535805B1BE56CF3ED6AB,SHA256=0612CE6E345FCCAF444C9DEBB54A47408393F03B7BD587D9DC7BE51DA18B69A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033467Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:11.717{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52346-false10.0.1.12-8000- 23542300x800000000000000033466Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:13.588{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9868FBE2AC676BD92B303D7089628B5C,SHA256=E858E9793B6BA2FD4FE640853EE37FD7B5DEF41D874E2130B0C194F0DE98EADC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017653Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:14.577{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFC959E914BCC5E126ADA7E323A6430F,SHA256=B06887E905327E3B425DDBB64E3477075CFDA114383FF38A73DF64C718C3F51B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033468Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:14.651{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30F89F6AB074A9ADF07A681CEFEB156C,SHA256=4F758C2B4AD5BED1D9A031A143606B5604E9DFBB24CBED8F8665AA5BC80EDC5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017655Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:15.671{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE1DF2448DBF1F6A78C32E5F03B181D8,SHA256=2B5C6F772A852E63591288B734EAC9871DD6EA17266C08333A4D77D4C34F214F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033469Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:15.745{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0E573142B47E5CCEA266FFA1F45E696,SHA256=F855875B7A690CB0D34CBF461C82E68FA995B4EC13D3188F52B22F7079FDD8A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017654Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:13.312{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50585-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017656Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:16.671{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=586207BFD9CF0C5AA5397E4DE55B7635,SHA256=DA1EB5658BDF53BD10E3999EA922445CD7F3D9E084F3447122381671802AFFCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033470Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:16.745{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49FE08F482B6F3992158FE19E122D1B7,SHA256=60C97169A6CE1028A5F6D32FBF80DCA2D34E14F6405EA4161751FBBA4C13176E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017657Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:17.687{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BC295BF1BEA69A8EDC76A203E07B238,SHA256=1348BB71FDD1AFB80D67C368293FB2D392039E869BFA54FBCA3D485E20AD625F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033473Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:17.854{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7CB35ABE96BA8ABFB45D8B6996D00956,SHA256=ED2AA5B5A3984A75ABEE93234DB09D40B89C318E3F43E91F3E82B97C7FBBD310,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033472Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:17.854{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=44CC35F1D23B11D11A9DD4E74BB75B57,SHA256=19C8708B51BCAEB35426F85B8E5942DC86B8E458EEC9621E6F6FC354133B201D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033471Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:17.760{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FAE8F50D8B80E73104F506A147544C7,SHA256=C4255C60139BD962116E52FC1C297BFD135ED83346A62478BFE75E94978410B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017658Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:18.905{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=251B1331A70E8744149F5A81E261523A,SHA256=D842F6B06110D6491116DBC3A13C59A04503148B0C20CD58118567576936CF0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033476Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:18.760{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5D6816F08E2967874E05CC0D1CE1BB8,SHA256=4DB810FCE31A8CF7DE0EA8DED509C81DF508A3ED2ADCD5FD02D11B5BDF76A11B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033475Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:16.420{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local52347-true0:0:0:0:0:0:0:1win-dc-676.attackrange.local389ldap 354300x800000000000000033474Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:16.420{6EDEAD03-FC2A-615B-2900-00000000FB01}2912C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local52347-true0:0:0:0:0:0:0:1win-dc-676.attackrange.local389ldap 23542300x800000000000000017659Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:19.957{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A65ABB9EA186B6539B0747D542F6A259,SHA256=FECE13B5085D7FF5CF98FE188430DFC94634E7F6DEFDD6EDBEBDD9FE4AC412D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033478Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:19.776{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2513188ECAE8D2A73F7C0B539F3E8665,SHA256=4582AC6370F8019D4DA4B67A0E0F63BD4F5C4A86B673FD1C888191D8E2381D2D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033477Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:17.685{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52348-false10.0.1.12-8000- 23542300x800000000000000017661Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:20.957{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3A073A0C2FEF97484C6881A104DE3E9,SHA256=8638F83316F90CB4F74F7AC6E18AE8EE9BBB6B2514AFF306230450D8A362F7C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033479Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:20.791{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=239E092E6DAEC1BAEB44A185BED306A8,SHA256=7782ED27C3D7D2D9ADBD47C00178FE0484C6AF41012082E7DDA3FAE291B53C6F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017660Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:19.297{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50586-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017662Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:21.957{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=641A4283A15BEAF94BDD010FD5AC6099,SHA256=0D121295DFF5312F91167E59EA2F83CF03ABC32B787786049EFE5F8AA0566D0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033480Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:21.807{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A11A87A6F1312B09764CED5C4DE16EA,SHA256=45D9069D54B6E1334F61528A2765312B98403DECDD637B3D4C20DDDB4DDFFCBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017663Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:22.973{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7CE891B57D125C36A78B976F4A1F042,SHA256=34EF754FC68E30CBDA77BC6886593B5680279F436C41BC3AE8173E8A08C07D58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033481Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:22.807{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AC2B102DF2D777FC8303C6D095CFD3F,SHA256=F950C12042B34DAFDD670014ADD8F5DB93FD9B6AE82B9913D9B29A596C1D216A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033482Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:23.807{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2318C6EF9768177955D0758ACD6936C,SHA256=A8D38CDA1EB80D622BE4F55830A37C64F4B432D57B800F2853A9E2286427F7CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033484Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:24.823{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25F5015BD7B72D5F1C15ECE8C070A51A,SHA256=84F3C25D003420681AD0558AFFB3617962E1BBC0C07846D02443411C0B7342F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017665Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:24.883{49C67628-FDEC-615B-1F00-00000000FC01}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04b3958ebc31dc11b\channels\health\respondent-20211005072534-072MD5=9DBD3CF651CAD1963D7DD9E70795396E,SHA256=D00FE5240C0E39CC33FD8ADFFDA13197E8833401D0A3D05F731F6A79B8E00229,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017664Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:24.129{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=497682D80B1E0A7E3344DA069FB94D1C,SHA256=5C7C9DDB2B40485E88090E5E8E9847AEDEEF485A0BD541EAC0F8E03D3A64D603,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033483Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:22.857{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52349-false10.0.1.12-8000- 23542300x800000000000000033485Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:25.838{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD6A058D7B4A5906484E3DEEB3CED38F,SHA256=5349E40C849F478A61E1A67DCBB2B6E9BAC42011F6BDE61F55C6FC8AE6DA6823,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017667Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:25.897{49C67628-FDEC-615B-1F00-00000000FC01}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04b3958ebc31dc11b\channels\health\surveyor-20211005072532-073MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017666Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:25.146{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D69C991F7BFCEC364DF08AE7920A2B5E,SHA256=CFCDFCAD412EFD5B29909987225299B959ED778DAFF25615AEF6E14C63D0388C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033486Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:26.838{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4606E64BE4DC8BD7F061F39025680E9,SHA256=89F2BA3C6EDFFB5B5BC2B34CB6CE502FC312929D5A3F2B2FB054EAA04690F01D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017669Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:25.146{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50587-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017668Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:26.378{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED8ED18FE352FA3620C13EF949647594,SHA256=25BB3F00267B16D79F377B2FFBD94E9DE276F39058B836EBCB1D62F028FB827B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033487Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:27.854{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7477BD5A283C52EA4BB1375E1BE87E8D,SHA256=331985A8A6457BF2CE41F51CB4DC0C651F8139CD040BB9DADD2C82231475C656,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017670Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:27.411{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14D9C5C9DCD313D8AE59BD5EB953D669,SHA256=ECCA0DF189B6EDC6B3B7F8EFE5F40E01AECEC81A877711047E30D19DAE3A4418,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033488Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:28.854{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0F9153422FC10B59E9BE8E94864AF9E,SHA256=210449FC03E276871C0FB3158F91D83AEC3AB97EC65442BCAD2D6B5575C64259,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017671Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:28.630{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=167DCE01DF3BB87185C6BC72A8BD9391,SHA256=E1FF402CD0BC4B04A05CC31868AA63DAD523E78942A2C526F4FAE9BC6A238516,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017672Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:29.661{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA95DB0A26A9873E9CB4E3C761EEB348,SHA256=EA11C02243B6AFE6CC5EF04BF1A07D8EB282ADBDF669600951341D50366B8B9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033489Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:29.869{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A03068B794E8322C2CDE2F860A5B9CC7,SHA256=420163C7CE3A86B6276D826F92011590BBF4B6CAF37EC66D6721C9AB79E0A9C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017673Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:30.880{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A8DE311E15F54DF69FC29EB63C0F2F3,SHA256=B87CFC68E9B6BE1B1C1E07ADC3B63FE7564E8FA4BD8106BBA102F578C2F260E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033491Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:30.869{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B61390EC646DF5B4E2785B935B4EEC6F,SHA256=728C6031DF499DD72674B14A0705B81208A38D63CCFE6751641C79F9319D0BD6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033490Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:28.654{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52350-false10.0.1.12-8000- 23542300x800000000000000017674Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:31.958{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E2A01495D2F6DF98D77F71A16E2C022,SHA256=FC5549AFCA2A1BD34C95FE6DF70EE3DED8B64F640BC06B2D5C826A81E41C71D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033492Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:31.869{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49B539C7194F1EBE3842EE19AB34A70F,SHA256=0668358C832DA1D045BB912FFC78E69987576A755DA7976354CAD1A9ACB53F69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033493Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:32.885{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=361A49F239BF6177202BC588EF7DC6A9,SHA256=40EDD74C18211D09AB4C0FA40993A9FA00BFB712381D2CBDB2B95CBA17DE6C67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017675Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:32.583{49C67628-FDEB-615B-1100-00000000FC01}964NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=3AE15CF0CC4EFA90EBC5189C4EF33AD2,SHA256=773F7CCC9E64D0619AD23BACDFCEAE6E4951384D62EAADECF858B7FA4069BF27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033494Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:33.901{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D911DAF7C1855F55F0979EA4B051A6F1,SHA256=65D0544ECE1D3AAC151702E5C30B925674D5D6AA7FCC5F11DEE4B5E752B76280,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017677Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:31.130{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50588-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017676Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:33.067{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A440CA33F05285486EDA3E0B647FDAA7,SHA256=73C617BA08FD9A62D76221D4540E8C33BE1680DE28D9B2F0A07B6135FF6D1840,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033495Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:34.901{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D72A096E3716448043B16E2F09281CD,SHA256=6D5606675A1E8327543C050786B8FC01D17207CD67AC05A9E5666DC85F09E602,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017678Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:34.083{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C53FF1A659C0F4F3B54F39787A780362,SHA256=B5C4B25BBB704BB36BAD5B8617AA1C478612AB3F44F5F5450813DFEDC8C0CDC4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033497Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:33.732{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52351-false10.0.1.12-8000- 23542300x800000000000000033496Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:35.901{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ECC142C16DB3814B8C96FB7FCE9F25D,SHA256=E5A8307C9912A6FE3060E763D050F90E6DE134A3BB5A031715FE4E045F4C208E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017681Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:34.945{49C67628-FDEE-615B-3A00-00000000FC01}2836C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50590-false169.254.169.254instance-data.eu-central-1.compute.internal80http 354300x800000000000000017680Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:34.944{49C67628-FDEE-615B-3A00-00000000FC01}2836C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50589-false169.254.169.254instance-data.eu-central-1.compute.internal80http 23542300x800000000000000017679Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:35.225{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30F3B81C36E10D2288CB53C32AF440DB,SHA256=46F94A826186F0DDF75935DD19BAC08A1C1A8ED3FC6CF8C7A98E4BAB64849CB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033498Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:36.901{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B0C8FF6A0CECEB220761A8B3D5A2E91,SHA256=DA95B63AEF6A717788E2301218DF2AA5755AABC111CBE580664F95A8D9A90661,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017682Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:36.227{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF9B0AFFC76CE6F8D29A5569EE1C2EC4,SHA256=7808C93119BEBCED52724F08454EB53197EF78DD66EDC8A516A07897E2331F80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033499Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:37.916{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BA0B2A7E11217132E8A1459177A0BE7,SHA256=3094B23AD7A1AB7B61530B999BCA796E65FAE71CC3F2DFB747D4DBD1BA45BD34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017685Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:37.461{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FA7B57EB2438F72244D34183C38BE2B,SHA256=EB8DB96FCEBC2870FB9B4DD180145E22E35230F858BD302F2E07412404E00017,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017684Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:35.067{49C67628-FDEE-615B-3A00-00000000FC01}2836C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50592-false169.254.169.254instance-data.eu-central-1.compute.internal80http 354300x800000000000000017683Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:34.986{49C67628-FDEE-615B-3A00-00000000FC01}2836C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50591-false169.254.169.254instance-data.eu-central-1.compute.internal80http 23542300x800000000000000033500Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:38.916{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28A3ED5DA9B76E660DAF611855AE41CE,SHA256=5DC446D9DFD9053B4DFBD1D4D17A1C6B7534FDA68079DB953DB9A8E73B55DD6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017687Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:38.476{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5C6154FD3B6A4B1287C32B8B23F82C9,SHA256=FA5AD3E3CDA02158F7201E67151DC33FC7598054764B8165027CCBD1FEFB3470,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017686Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:36.211{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50593-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017688Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:39.726{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3FA9DBC4032DE13E726A398EA2CA4AE,SHA256=C777380EFDEAD943A80FBBEA0D52394D8132CBFE4A458A8DD6B762933C576ABC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033518Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:39.990{6EDEAD03-FCBF-615B-AF00-00000000FB01}416NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=77A3FAE6E3D081057742F67BE17D48F0,SHA256=B45196262D41012541FDA928C2D6D89C531ACA10A8054FE8E2047913CDE27561,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033517Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:39.975{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-0F87-615C-C606-00000000FB01}6984C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033516Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:39.975{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033515Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:39.975{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033514Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:39.975{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033513Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:39.975{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033512Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:39.975{6EDEAD03-FC1A-615B-0500-00000000FB01}412428C:\Windows\system32\csrss.exe{6EDEAD03-0F87-615C-C606-00000000FB01}6984C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033511Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:39.975{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-0F87-615C-C606-00000000FB01}6984C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033510Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:39.976{6EDEAD03-0F87-615C-C606-00000000FB01}6984C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033509Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:39.928{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF032DF395C84D248CAF6F9307F19702,SHA256=93A3766A1806C07CE1A23FA40BA0D8DDDA51CAFDFC6E5F70D10288CE619173BD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033508Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:39.463{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-0F87-615C-C506-00000000FB01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033507Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:39.463{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033506Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:39.463{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033505Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:39.463{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033504Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:39.463{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033503Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:39.463{6EDEAD03-FC1A-615B-0500-00000000FB01}4122304C:\Windows\system32\csrss.exe{6EDEAD03-0F87-615C-C506-00000000FB01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033502Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:39.463{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-0F87-615C-C506-00000000FB01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033501Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:39.464{6EDEAD03-0F87-615C-C506-00000000FB01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017689Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:40.735{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33E4DD32A4317E12BFE285C996789227,SHA256=12ED18EEFBAD445DF37F1B607BE3082B945EE566F6C7543312DFC2ED0158CCBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033530Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:40.943{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A95C45E9C3C3F01E44E4FFB9E049ACD,SHA256=22789FD40EB63351B884CDA84D85FEEB3470489E0A9FD414BCC13FF7FD04929F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033529Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:40.818{6EDEAD03-0F88-615C-C706-00000000FB01}54966588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033528Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:40.647{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-0F88-615C-C706-00000000FB01}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033527Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:40.647{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033526Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:40.647{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033525Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:40.647{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033524Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:40.647{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033523Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:40.647{6EDEAD03-FC1A-615B-0500-00000000FB01}4122304C:\Windows\system32\csrss.exe{6EDEAD03-0F88-615C-C706-00000000FB01}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033522Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:40.647{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-0F88-615C-C706-00000000FB01}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033521Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:40.647{6EDEAD03-0F88-615C-C706-00000000FB01}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033520Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:40.537{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D94788C8DC4218314FEA2E6EFB94085,SHA256=7026C5A41A87F9D6BAD62554DF5E3055650C3F0C71488A15EA40B992E7A38A0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033519Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:40.537{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7CB35ABE96BA8ABFB45D8B6996D00956,SHA256=ED2AA5B5A3984A75ABEE93234DB09D40B89C318E3F43E91F3E82B97C7FBBD310,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017690Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:41.923{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50A20FB0C2531B3800C9BD48AC50A4E7,SHA256=809C60C9E31C14360B7F900EAE1122BEB36C945DF5DEEB0793FE2548150FA931,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033532Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:41.943{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE69318DF972131606476C161A587382,SHA256=154FF46A60ADA93ACA458BAA7BD3797970930A15CAC56A9A1548668A977B72BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033531Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:41.662{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D94788C8DC4218314FEA2E6EFB94085,SHA256=7026C5A41A87F9D6BAD62554DF5E3055650C3F0C71488A15EA40B992E7A38A0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033544Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:42.943{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25D4E9FCBEB968CEAEC41A4914D2DD83,SHA256=DF8D940499D66C4B714CC24AEB1962A6A4DF765224AAE548DDCB7401D28122A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017691Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:42.923{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E98ED0030421D35182D78B9245AE5F2,SHA256=A269328C7212FA993C78DF1F059826020D670D2A529A153964801E2DF69F5F24,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033543Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:42.631{6EDEAD03-0F8A-615C-C806-00000000FB01}42043856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033542Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:42.475{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-0F8A-615C-C806-00000000FB01}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033541Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:42.475{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033540Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:42.475{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033539Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:42.475{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033538Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:42.475{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033537Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:42.475{6EDEAD03-FC1A-615B-0500-00000000FB01}4122304C:\Windows\system32\csrss.exe{6EDEAD03-0F8A-615C-C806-00000000FB01}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033536Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:42.475{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-0F8A-615C-C806-00000000FB01}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033535Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:42.476{6EDEAD03-0F8A-615C-C806-00000000FB01}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000033534Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:39.572{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52353-false10.0.1.12-8089- 354300x800000000000000033533Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:38.795{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52352-false10.0.1.12-8000- 23542300x800000000000000033563Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:43.959{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D2E631AA441EFBABDCFEC1D0FA7F8B8,SHA256=B17E07627C1A0005B64467CEA740BE581761A1653B3506F36501E5F478A17A15,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017705Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:43.954{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-0F8B-615C-E502-00000000FC01}1212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017704Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:43.954{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017703Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:43.954{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017702Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:43.954{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017701Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:43.954{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017700Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:43.954{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017699Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:43.954{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017698Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:43.954{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017697Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:43.954{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017696Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:43.954{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017695Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:43.954{49C67628-FDEB-615B-0500-00000000FC01}416532C:\Windows\system32\csrss.exe{49C67628-0F8B-615C-E502-00000000FC01}1212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000017694Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:43.954{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-0F8B-615C-E502-00000000FC01}1212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000017693Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:43.955{49C67628-0F8B-615C-E502-00000000FC01}1212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017692Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:43.938{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=808D4EE72EB9574BBF416E524105B89C,SHA256=E675A2B850C6A9BA9EE4491CC4B750FE869E8B228A1A752760345BE5300DAC8F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033562Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:43.647{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-0F8B-615C-CA06-00000000FB01}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033561Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:43.647{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033560Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:43.647{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033559Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:43.647{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033558Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:43.647{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033557Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:43.647{6EDEAD03-FC1A-615B-0500-00000000FB01}412428C:\Windows\system32\csrss.exe{6EDEAD03-0F8B-615C-CA06-00000000FB01}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033556Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:43.647{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-0F8B-615C-CA06-00000000FB01}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033555Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:43.647{6EDEAD03-0F8B-615C-CA06-00000000FB01}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033554Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:43.631{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D1D25281266915D81112D59075166630,SHA256=491D844D453EE3B859AD7E4154F87DC2BA362CC2B14DDB75E039CFDA733E7904,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033553Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:43.318{6EDEAD03-0F8B-615C-C906-00000000FB01}68081488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033552Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:43.147{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-0F8B-615C-C906-00000000FB01}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033551Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:43.147{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033550Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:43.147{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033549Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:43.147{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033548Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:43.147{6EDEAD03-FC1A-615B-0500-00000000FB01}4122304C:\Windows\system32\csrss.exe{6EDEAD03-0F8B-615C-C906-00000000FB01}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033547Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:43.147{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033546Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:43.147{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-0F8B-615C-C906-00000000FB01}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033545Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:43.148{6EDEAD03-0F8B-615C-C906-00000000FB01}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033574Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:44.975{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DD75A6D189C9D0AE4301C2B99E85859,SHA256=2F4B0AE3BD968CFFD3E150F1BC5AD346EC8A276AD0C48FC760C03519035A2CBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033573Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:44.678{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B60B6CEEA563E53714928883582C896C,SHA256=57383973A551DAE32FC2C619577DE25F57F301D671BA7E34E563B77EF0336583,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033572Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:44.506{6EDEAD03-0F8C-615C-CB06-00000000FB01}8723556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033571Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:44.318{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-0F8C-615C-CB06-00000000FB01}872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033570Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:44.318{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033569Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:44.318{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033568Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:44.318{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033567Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:44.318{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033566Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:44.318{6EDEAD03-FC1A-615B-0500-00000000FB01}412528C:\Windows\system32\csrss.exe{6EDEAD03-0F8C-615C-CB06-00000000FB01}872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033565Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:44.318{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-0F8C-615C-CB06-00000000FB01}872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033564Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:44.319{6EDEAD03-0F8C-615C-CB06-00000000FB01}872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000017720Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:44.626{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-0F8C-615C-E602-00000000FC01}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017719Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:44.626{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017718Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:44.626{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017717Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:44.626{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017716Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:44.626{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017715Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:44.626{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017714Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:44.626{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017713Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:44.626{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017712Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:44.626{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017711Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:44.626{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017710Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:44.626{49C67628-FDEB-615B-0500-00000000FC01}416432C:\Windows\system32\csrss.exe{49C67628-0F8C-615C-E602-00000000FC01}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000017709Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:44.626{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-0F8C-615C-E602-00000000FC01}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000017708Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:44.626{49C67628-0F8C-615C-E602-00000000FC01}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000017707Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:42.251{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50594-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000017706Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:44.173{49C67628-0F8B-615C-E502-00000000FC01}12123412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000033575Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:45.975{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66E29F301E839A403A13E92FD100EA47,SHA256=F4B54C1DF71F2EC76C143A7ABAE2A5E9790FD9F1D98CC39C623C11BFF582000B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017736Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:45.298{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-0F8D-615C-E702-00000000FC01}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017735Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:45.298{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017734Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:45.298{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017733Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:45.298{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017732Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:45.298{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017731Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:45.298{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017730Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:45.298{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017729Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:45.298{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017728Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:45.298{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017727Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:45.298{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017726Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:45.298{49C67628-FDEB-615B-0500-00000000FC01}416432C:\Windows\system32\csrss.exe{49C67628-0F8D-615C-E702-00000000FC01}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000017725Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:45.298{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-0F8D-615C-E702-00000000FC01}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000017724Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:45.298{49C67628-0F8D-615C-E702-00000000FC01}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017723Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:45.079{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=369CC459A37E8F0C5D930DD277184046,SHA256=61FA74055FFB889E07B799558EB944D18DFCB1D0093C1A0AEAD3864CA9386DAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017722Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:45.079{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69226F4D0C513AD20EE4A6584FFA2DE3,SHA256=690BFAC213D9F3E0EE769B15412D85719491B96D3D31D77A155AD7C1C2DA1701,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017721Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:45.079{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=178771BE7C389A33BC834DBB20DC8312,SHA256=0F8A060A319AD7D18FB1BA9DD5D788B7EB94BB4E8FAACDDDACF5BA1CB0C6CAA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033576Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:46.975{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A68AC390BDF913A053F934A433D50B3,SHA256=C599131A76E20A8E52599FC9EF0A08959961903ED9561281055E02988B09FC02,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017752Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:46.376{49C67628-0F8E-615C-E802-00000000FC01}20361644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000017751Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:46.298{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=369CC459A37E8F0C5D930DD277184046,SHA256=61FA74055FFB889E07B799558EB944D18DFCB1D0093C1A0AEAD3864CA9386DAD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017750Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:46.219{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-0F8E-615C-E802-00000000FC01}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017749Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:46.219{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017748Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:46.219{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017747Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:46.219{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017746Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:46.219{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017745Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:46.219{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017744Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:46.219{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017743Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:46.219{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017742Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:46.219{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017741Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:46.219{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017740Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:46.219{49C67628-FDEB-615B-0500-00000000FC01}4161032C:\Windows\system32\csrss.exe{49C67628-0F8E-615C-E802-00000000FC01}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000017739Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:46.219{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-0F8E-615C-E802-00000000FC01}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000017738Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:46.221{49C67628-0F8E-615C-E802-00000000FC01}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017737Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:46.173{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E07F73DD8D3836C4D9839B3EA9061C4A,SHA256=EF77BC65EEA0EB0A1A74E980443707C9666E29298B6266F2F207A28D3BA47207,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033578Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:47.975{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D0D49AFFA23DA746A153705499EFE09,SHA256=62FB7B3DCC665716679FEB409729C738EABAA7242A314A8F8E8FEBA6D9A13155,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017766Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:47.985{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-0F8F-615C-E902-00000000FC01}1936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017765Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:47.985{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017764Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:47.985{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017763Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:47.985{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017762Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:47.985{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017761Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:47.985{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017760Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:47.985{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017759Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:47.985{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017758Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:47.985{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017757Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:47.985{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017756Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:47.985{49C67628-FDEB-615B-0500-00000000FC01}416532C:\Windows\system32\csrss.exe{49C67628-0F8F-615C-E902-00000000FC01}1936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000017755Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:47.985{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-0F8F-615C-E902-00000000FC01}1936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000017754Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:47.986{49C67628-0F8F-615C-E902-00000000FC01}1936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017753Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:47.188{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7BEDDE60C1C1F23E95AF3C2A998109F,SHA256=0596B21C657EDB0EDC92E6D77C2EA791B9095FCF730800BF87B14CE07A71F6A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033577Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:43.806{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52354-false10.0.1.12-8000- 23542300x800000000000000033579Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:48.990{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA67D11C02F724403E7506C6EBF8EB64,SHA256=9160DB83A665709DC2AF86E7B7235FAA806AAB61DB218359826C4A114D8664C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017784Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:48.688{49C67628-0F90-615C-EA02-00000000FC01}28001204C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017783Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:48.485{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-0F90-615C-EA02-00000000FC01}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017782Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:48.485{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017781Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:48.485{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017780Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:48.485{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017779Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:48.485{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017778Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:48.485{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017777Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:48.485{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017776Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:48.485{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017775Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:48.485{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017774Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:48.485{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017773Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:48.485{49C67628-FDEB-615B-0500-00000000FC01}416432C:\Windows\system32\csrss.exe{49C67628-0F90-615C-EA02-00000000FC01}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000017772Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:48.485{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-0F90-615C-EA02-00000000FC01}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000017771Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:48.486{49C67628-0F90-615C-EA02-00000000FC01}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000017770Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:47.283{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50595-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017769Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:48.251{49C67628-FE68-615B-9F00-00000000FC01}1772NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=77A3FAE6E3D081057742F67BE17D48F0,SHA256=B45196262D41012541FDA928C2D6D89C531ACA10A8054FE8E2047913CDE27561,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017768Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:48.235{49C67628-0F8F-615C-E902-00000000FC01}19361336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000017767Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:48.204{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDF7CEBD02A56C3F9D319748CAA6F6FB,SHA256=124053DDD555C7CA74729AAA10CCB1B2DBE6EA61F68B5C55E1CCAE5B8BFE2A58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033582Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:49.990{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCD194711DCBEE226025A4DCF04D65D5,SHA256=6BCD100A3C819D52F512B0C2E9F132559872ADF1C7DFA78EBBF826A785AE43FB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017800Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:48.298{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50596-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000017799Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:49.251{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DF215C7DCBBF0414AF3C0F8F9618D77,SHA256=123E610C8A1ABA668AD0BA3F910D7F1CC84D835DC64AF59E51C3989AD16AA307,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033581Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:49.678{6EDEAD03-FF62-615B-ED02-00000000FB01}48006764C:\Windows\System32\RuntimeBroker.exe{6EDEAD03-FF62-615B-EF02-00000000FB01}4920C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\TokenBroker.dll+1158a|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37f4c|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000033580Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:49.678{6EDEAD03-FF62-615B-ED02-00000000FB01}48006764C:\Windows\System32\RuntimeBroker.exe{6EDEAD03-FF62-615B-EF02-00000000FB01}4920C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+114b3|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37f4c|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000017798Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:49.157{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-0F91-615C-EB02-00000000FC01}1680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017797Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:49.157{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017796Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:49.157{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017795Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:49.157{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017794Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:49.157{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017793Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:49.157{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017792Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:49.157{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017791Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:49.157{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017790Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:49.157{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017789Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:49.157{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017788Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:49.157{49C67628-FDEB-615B-0500-00000000FC01}416532C:\Windows\system32\csrss.exe{49C67628-0F91-615C-EB02-00000000FC01}1680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000017787Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:49.157{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-0F91-615C-EB02-00000000FC01}1680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000017786Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:49.158{49C67628-0F91-615C-EB02-00000000FC01}1680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017785Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:49.016{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78DF7FA3503A6F0A7DA8FC63ACB6F469,SHA256=2EF72B71B31075A346195B17A8F4AF5F5AC5795642CB81C82665B41CF3BDB18F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017802Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:50.266{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C6A76DBB78E1655255512831876E32F,SHA256=56E36782DC2B1A20C5EDC46CCD7DA8AB4B41C869B6B211C3EE9C6DDD7B691D7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033583Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:50.818{6EDEAD03-FC1D-615B-1200-00000000FB01}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=98A8C0437DDD3045C6BF7F621A089D17,SHA256=BB4279FED9380705B0B47BA34BD99F1C5F2952B298A4B9522218FF3D4E96FCAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017801Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:50.188{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7ED05FEF5AA54867B85284FA6A3BD401,SHA256=1D972C8A364C16E6D88B27CDF1D898B6D333A7DD8DBBBBD86DCC610699F6FBFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017803Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:51.485{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE7E352610DBD1BDA1AA76E6583E34E5,SHA256=A931DEDCD617FF518F6B5E63B9B8F976C26795C6B08E348975F894E06273E729,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033586Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:49.290{6EDEAD03-FC1D-615B-0D00-00000000FB01}908C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local52355-truefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local135epmap 354300x800000000000000033585Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:49.290{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local52355-truefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local135epmap 23542300x800000000000000033584Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:51.006{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1ACF85BA063EA188053E4E0ADC490009,SHA256=AE3DAFD51483192AEB03BBBD50326DA6119056271E48B0CA86E78A7AD1BDBA0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017804Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:52.548{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A77197503B82BBF26DE9067B8DCCE70,SHA256=CC771F150BC02889D203DE370286C287085C77AB297F2286AAACB86E2727B8CE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033590Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:49.713{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52357-false10.0.1.12-8000- 354300x800000000000000033589Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:49.291{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local52356-truefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local49666- 354300x800000000000000033588Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:49.291{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local52356-truefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local49666- 23542300x800000000000000033587Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:52.021{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=178CC99E6D8A2B42D3E0E1E0A06C242F,SHA256=F8A463047DCCF79350CE5D800F35CE1A5FF515BB0988E51FD112A27CFFFB1D76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017805Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:53.688{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F8CEEF5297B381EF37BA488C121D45B,SHA256=777183A9837BF8DE3D9E968ACED3F7E43D9B77E947997ECAEB26895FD1908E46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033591Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:53.037{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A996F846ECD6D914C1D7CA9056B413F6,SHA256=131DA79981E4A088BCC311DCBA5BDA7EEAAA7214452DA6F80EC01E41E3F22271,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017806Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:54.813{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84F00A977CE1A65C22EB264EDA9BA17D,SHA256=C079460E4DFE3792C15D14823C0CCAADE2ACFD226BC3CFA68D53D32EF84547BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033592Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:54.037{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDCF6EB887F536662DD91D6257998252,SHA256=A6DB1F88DD1356C97BBE927C21242907AD6E09AE44D9402E31B9C7B8DC7079B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017808Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:55.954{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B07B95FF72E2E637D6F770B266D0EE1,SHA256=58859772E792ADC8542E152B454B17A629123B61EA42CD6085DE66AE1FA87D64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033593Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:55.037{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA532EF57232698FDFBD1D913E3B1A6A,SHA256=A16D0CF072C22C9769C7F416B9FFC91F26D92CB0EEE6382C9CCFFC187A5D6253,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017807Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:53.064{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50597-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017809Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:56.969{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6652B1534E50E4CC1A2A34ADEA27FC8F,SHA256=08D8033DF48D67901A9122D3B6CFE41D51E5DC2F9C7AFC6192064424E83E597A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033594Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:56.053{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=296F81A563D9C93358321472466B6780,SHA256=3B8FD4AAB18A33C05039C1F4CB762BA93DEEF712E3EDDB50D8399B041E1BC238,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033596Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:55.666{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52358-false10.0.1.12-8000- 23542300x800000000000000033595Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:57.053{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A9E533DF29AFC1ED041450D28AC424F,SHA256=4BE583F88723115D2DFB02037BFE2D662EE044733373233992F701A9A8FBFAF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033597Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:58.068{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43D280EF9D81A9967D65014893B0F21E,SHA256=AA5F4AD5F83AD74A74A6FA740219000844DF74AF062CB760202822F90C14BF3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017810Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:58.094{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1A75C49FC34C5804F7058EDBFA44285,SHA256=2842C8682C374E52D33DFD507FAEC03236CFAE7FCC370E15637765D7DE011A4A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017812Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:58.111{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50598-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017811Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:40:59.251{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF624E2055713740ABD7F672A0A35DE3,SHA256=31E8EC77C3DDAB09A0FDF4A1B80FEFD7CA576C152AEAD5A35E012F1C314FDB09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033598Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:40:59.069{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF2A3F9B1F05C15B24304E63AB478033,SHA256=AB3A40C9F3FFCB3858894938038A29325BF0F7AE2B69BFE356BB86F030D7CEDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017813Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:00.265{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EE036247DA3BCEE471FC94D5BE02A47,SHA256=D6A797A1CA6297E941119EEC9F3BD07213527B2B5F85275860C27700C911C5F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033599Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:00.082{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDB6420BA2F3ED3ECF388ED7AA654D9C,SHA256=559EE32556EB4E395028AF0762B10C2A6239609C16C97D9F927C3FE2FCA5D1C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033600Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:01.098{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14B6B7D2524B255115B0CCFF862613ED,SHA256=3A488C520CE6506DC65D97089323ED2F5C438946EF9CCA978D6180F3DAB30F43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017814Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:01.281{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DA9F41043E389B64C1080A7D52E12D0,SHA256=5B352AEB568118CB28EC8F63C009655A9D43CE74A10215EDC4153812752B882C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033602Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:00.789{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52359-false10.0.1.12-8000- 23542300x800000000000000033601Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:02.098{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAAD6061B02893AAD0061D4CD5240184,SHA256=FDDE8CAEDAFE03F555FBED80AEEACCD1681381FED012F0CCFDF1ED86D6DC87F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017815Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:02.296{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=171A1CC2CB7E33EAF8E91E7DBD272F02,SHA256=918BA5A4296CA4051CF228AFC479C571D60D8995914E16CE0502F34B1827CED2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017816Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:03.312{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4113CEB1606FD4D62488A65FCD02FB5F,SHA256=A5549487A009B22A5ECCE1C6CC0B214E577F5BDCDB00A7A446C165C70BC05BE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033603Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:03.114{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B832CAA24C5E76509275871685BF2FEC,SHA256=7624A7984A36768C43E88463DAF625B4E11FEC03F783D59B6C1B8903513CA873,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017818Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:03.297{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50599-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017817Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:04.328{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87D4E1E436592F6E27C2A7A0A27AD6C3,SHA256=8E628B13C7E5E874C75DD6BE927AA1CC5EAB7B492AE85C9A470C4C515E4EBA31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033604Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:04.114{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFB410CD0A137186413CD3496D9CBCF5,SHA256=62F31B95871C76212454E95D39FA8C0AD8A844F742996E396CB04EFD4A1B4C0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017819Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:05.328{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4562A97985698BE70F46CF252E7AD1D,SHA256=E984DA8BA3F6AFF65B10730C96CDA896825C880B8E1115CA9B6607D2AB159B26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033605Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:05.129{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAE2B69C7F6ED67354675A660805D323,SHA256=0EC1890BEED8877E5AD48865E89F906BB823DB30327B3BB76C20B72D42AF562C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017820Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:06.562{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5291F67BF6B8DDD41D3D9E3B0DC77887,SHA256=DD0FE4011ED76615678C68D4A869DD520C3C7646C5E06BD99174F6C67C3FC976,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033606Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:06.129{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF580E9FE36C6194BAA2CD8AF8A26E6E,SHA256=7F672974686BB6DEA8915471CFD662D66A7799AB7CBD242C547C38F8D93C02B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017821Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:07.796{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D981D5BBB9EFCCB490BF181F979E6D63,SHA256=70EFB3BED4A79DF595538192650984AD649ABC4D3B87C7305A996C3667B2DC82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033609Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:07.758{6EDEAD03-FC2A-615B-3000-00000000FB01}2280NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00ade5b11017bd16f\channels\health\respondent-20211005071805-080MD5=AA6F78CCC35FD74424B933C975A9F779,SHA256=482DFC86E7C4A11E76E3E352EB64B396C84C083D9F57F37823883232EC55A225,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033608Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:05.837{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52360-false10.0.1.12-8000- 23542300x800000000000000033607Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:07.145{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=943D132178043EC8AA679E559FECB081,SHA256=56B91C452324463EBF3604DBAFE836759E0B62BA2E2466DBD05E121CE2C622D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017822Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:08.968{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9153CB0CA5464C30D30EAFA8C00E559F,SHA256=26A73714DED31EB28A67F972C3E2066DE665D72E0ADFEC2B09F17ED41CB9C2A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033611Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:08.772{6EDEAD03-FC2A-615B-3000-00000000FB01}2280NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00ade5b11017bd16f\channels\health\surveyor-20211005071802-081MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033610Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:08.146{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36239CA7BAB136FD2E78ED081778AEAA,SHA256=765773835A911A6CF79E2F8200F1E032644625CEB71A3FB1FD6CD95729FFBD4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033612Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:09.160{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79AAFEE910624F4CE83DE2866BB83AF4,SHA256=5CBDA0F6D1A9D651DAEFBF29F80A7CD369900CE805C5DFE781794E113165DF8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033613Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:10.163{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67E363AC60F2FBD186EDDE4E51499D2C,SHA256=AC50485582E543667A6A644C01B9CD4AE152E8FAACE483B54516C2CECCFAFE69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017823Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:10.124{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=367F644FBAE6C7247535BBCB430DDD22,SHA256=48BA805393F8D11601C19CE95F39FF5037205AED877500EC55936486BEEDA5AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017825Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:11.359{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51599A4F144F1A3F01C2BEFA6F82B02C,SHA256=D165F75BD7B02733663CC7DA0DC66398EDB72D6EF881F57AB6B6C92EF7E64EF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033614Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:11.178{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94EA0A6A153BDF6B39CF550E0E287489,SHA256=9F48458D8621F03F23641B3AA4E5ABA23D8802A22099776FD490B5D014511B1D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017824Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:09.188{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50600-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017826Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:12.390{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A30C0A8E137A33072A4659F6C7F98E5,SHA256=5A5A5681D4181B3EEDFC669FBAB0EC4E32FA729F4C4A8082D98FA6431A770EEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033615Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:12.194{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65F36DED194DE9C3EF54332FF700B9E2,SHA256=91C97C28A1BDF6E5D1695866EF1E519BDA9D1A24F0AA623D23D75198883E4171,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033616Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:13.210{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A108A5C5C329DBA76986FBFDA8D56F94,SHA256=3A5CA4F3EFE0CFC816D831F38B8760FEF3AB118CF76C6DEBAC0D3834CBF448B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017827Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:13.421{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=716327330DD06100B2FDC06F411CBEAE,SHA256=AF4671172FD1C309DC9DC8FA487B5CC32BABD05E8F066D0B573E1D971BC9483A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033618Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:11.651{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52361-false10.0.1.12-8000- 23542300x800000000000000033617Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:14.210{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C399056AD2DA34AD7CD46E250A9FE161,SHA256=58BC78A1F774A53C01BB810CA16B7F6B9CAF1B5857000C7CCAD2E8451FCD7387,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017828Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:14.437{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DBBE86130B5D9509F31B699F17D7939,SHA256=DE4612B6B25847EF2AB44AA5B8BB38A29C0197550F2FD47E3BD3A4A29C80B8E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017829Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:15.453{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04116EA7E11C6566DE783A2C4C80D8C3,SHA256=AC3BE860655D86907AEBDCF9CF031032585866CF8686CEA0356C842AC56C3B3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033619Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:15.225{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F90451BE7DB207DF90D032829A82D38,SHA256=614EE1733F04D0BCF5C7DB64F057B0F4F07914291ECC4EF9380FE9635AD62DBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017830Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:16.453{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94D75CB62534AEAF69CB9AA5C9936D9F,SHA256=9C48629DDB328CD6774CAF4CB5740CD7B9F6AE42671C34DC896C84C980342884,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033653Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:16.413{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6E-615B-2103-00000000FB01}5980C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033652Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:16.413{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6E-615B-2103-00000000FB01}5980C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033651Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:16.413{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6E-615B-2103-00000000FB01}5980C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033650Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:16.413{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6E-615B-2103-00000000FB01}5980C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033649Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:16.413{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6E-615B-2103-00000000FB01}5980C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033648Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:16.413{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6E-615B-2103-00000000FB01}5980C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033647Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:16.413{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6E-615B-2103-00000000FB01}5980C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033646Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:16.413{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6E-615B-2103-00000000FB01}5980C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033645Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:16.413{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033644Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:16.413{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033643Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:16.413{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033642Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:16.413{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033641Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:16.413{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033640Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:16.413{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033639Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:16.413{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033638Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:16.413{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033637Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:16.413{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033636Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:16.413{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033635Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:16.413{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033634Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:16.413{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033633Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:16.413{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033632Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:16.413{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033631Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:16.413{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033630Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:16.413{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033629Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:16.413{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033628Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:16.413{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033627Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:16.413{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033626Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:16.413{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033625Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:16.413{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033624Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:16.413{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033623Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:16.413{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033622Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:16.413{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033621Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:16.413{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000033620Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:16.225{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D9E3A1163C7B836E5450AA472EABB1A,SHA256=E4060460EFA9F63DB9D01DA48C6B98B315C0B235597956866939818C3DAB64A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017832Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:17.453{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=665BD24E7294454D4C5FE3CD84ABDB75,SHA256=A9DBBF01B6D5F6B16FD5DF8E2D837DF6B51DB0BC60150E70CCDE4B9B8F8400A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033656Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:17.866{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D27DED1119387E74B27384F8C804A7C,SHA256=4D4074E768E21A948C712B5D7AD03598F871D77FD57F6D2678CA51B458C39073,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033655Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:17.866{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=02F8C30556F4A76E9CC13B1E2EA5FE36,SHA256=A864272EA698D26EAF0E9646D0370EBEBEE175EB826F6D18CEE0F8DC6702B986,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033654Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:17.460{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D350DE7634E2B3527B02555B1026AA2,SHA256=B5A589667060D4866B8A15B0EDAC4C6F863FD25C47F27F38C2C6A3EC87A085D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017831Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:15.175{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50601-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017833Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:18.671{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18F8118BEBAFDBABF56DF5AE6E30A418,SHA256=4F37564427285123717150ECDC3F5AE18A5286E66B336239A9A28180EB46B504,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033660Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:16.729{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52363-false10.0.1.12-8000- 354300x800000000000000033659Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:16.432{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local52362-true0:0:0:0:0:0:0:1win-dc-676.attackrange.local389ldap 354300x800000000000000033658Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:16.432{6EDEAD03-FC2A-615B-2900-00000000FB01}2912C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local52362-true0:0:0:0:0:0:0:1win-dc-676.attackrange.local389ldap 23542300x800000000000000033657Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:18.538{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C00E563A8402F9E4C4DDDE1476B685F4,SHA256=EE5942E96E6D1C7DA2950B7ACC375CD99DA0774CC223A806AFEFC2B4920FFA21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017834Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:19.911{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C5FEA0EDD6D664B034EE9B5B582DA37,SHA256=7F533AB2D9B13A4B282A8BBF53D847F54CED0BDAA69D0B952B1CA284E6B6B01E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033661Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:19.600{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F1E8D8CCBFBF25286C79994290496A8,SHA256=C4CA0A159058A7BB426533E6000048C8B092BC9A99CEECC8080EFBD87040F4F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017835Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:20.957{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8235950F5054D05EFD09C0D511845FAB,SHA256=3503D14F6ECAE32EA43879944A774D4C421F1A9858AF8785A5DAA7ABE734E3C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033662Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:20.603{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FEBCCABB817C562F06E760BE654470B,SHA256=26C3EF132E1A9D58FA009D48FBD136FBFDA9F4EEA88E4BFB859C4695A00EF008,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033663Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:21.696{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB508494DD2136E13F3808B173745850,SHA256=0B08F46CC601E3FF859FE8EC520B25EB6906E6802581A80CF80CF36A86236BF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033664Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:22.696{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13D6178CE8F8F6243F16A80B4574C0CF,SHA256=40941E2082B4FB299A2CCCF9324F49D71F15B368965F0383B7A270138D55CCAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017836Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:22.192{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13A88D785609023813E4CC4EEB95D278,SHA256=A89D00D9379E587287DB95A475A817FAAC171CFD868E1DBD8EACFF6D251C92B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033665Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:23.728{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A2F95F67536929EA0BBF86B62B7338E,SHA256=B8AA35147C8F6D77F181FEC20265FA721C5CA51B3D42E336C3898A7192A0EA70,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017838Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:21.115{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50602-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017837Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:23.239{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D7EEF8B7C4B2A81C007276D1ADF9C27,SHA256=4ABA06FC926A87C3E0FA04DE7B83D7AE83E9F298E831F2CA325BA745553ECA1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033667Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:24.806{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D689F12D2A737A07D056CBFB5B4C841B,SHA256=4F4ED8FDC3F17B6D89DC77D231C287F14287F4F871B670A5610DC435EB217FC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017839Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:24.332{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=126028CBDD11E36CBA93B08564CC2CCA,SHA256=154911FD77750439365A397A1895E6D43F287DB80F934D355D4336D61B64C6AB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033666Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:21.825{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52364-false10.0.1.12-8000- 23542300x800000000000000033668Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:25.837{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=611B882F4EB46DEFE1D0C23E0D2AF4F1,SHA256=6B1009382F446F22BF344123411C8A1457089DC5C9647EB7ACC4E9EB526E4845,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017840Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:25.411{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F72DD93A325779543D330BA31EAC8495,SHA256=4E0788C5F2D5CD3B362F8ABB72DD95817F24537CB7148A6BA29490D26BABFA39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033669Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:26.853{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3277ABC7AAAA2D329DCD658BAB9E72C8,SHA256=1AEF1B34EF6E13F8A60A57BCCE1711FFB448F95FFE32CC225EA94FE6C2109D91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017842Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:26.505{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=848153C30E091A77AE3FF14EDE82BBC3,SHA256=64EB236716FFE1ACCFE0A6B631B24D2EF124484C13224A4F1D8F83C280DDDE0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017841Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:26.413{49C67628-FDEC-615B-1F00-00000000FC01}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04b3958ebc31dc11b\channels\health\respondent-20211005072534-073MD5=9DBD3CF651CAD1963D7DD9E70795396E,SHA256=D00FE5240C0E39CC33FD8ADFFDA13197E8833401D0A3D05F731F6A79B8E00229,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017845Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:27.520{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5254CD0965478DAF765B61B76912B6D,SHA256=8560B7CF39DCB2B85BE81B8403988EDCD450B7D467618443EF96E32C72BAAF71,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017844Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:26.177{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50603-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017843Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:27.413{49C67628-FDEC-615B-1F00-00000000FC01}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04b3958ebc31dc11b\channels\health\surveyor-20211005072532-074MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017846Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:28.522{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EAB75618698D8A027F9163CE9903040,SHA256=A8AD91FA87A9ADAFA9CA41B4EE64C5DC8F17EB0CED5893D0F086103DD5C0959F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033670Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:28.087{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E51E0BDC32FB0073062C03AD92EAAEEF,SHA256=294CC26FC0303A08E13C7188B0E2EFA70FBBA8FBE10C92BC04CFBCC8216C6A49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017847Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:29.522{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A733129DF9BD90860F813A55B1CF263,SHA256=65337FBD1DAD49E21100C1B8C787279823F4F2A4B0D7A177E8860A0B01395912,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033671Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:29.321{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC5536EEA9BFE9E151F946233A5EF32B,SHA256=9544C4F95BBEF678C4E8F7011E253C81E7CC628DFCCB4D5530FD6335FF6DE10C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033673Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:30.337{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED90F1C2483A5497CB388FF243CCE626,SHA256=E275E1ABE2CC0D8BB7C2F0CDA8411E4ED3F5A3B86B0FA52D477429E0767371BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017848Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:30.522{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0700BE3B124F83994E927797BAF44802,SHA256=BC10E7EA69631F68CF1C631A1761D5A8845E453008644E75A93463DE57B1EE66,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033672Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:27.700{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52365-false10.0.1.12-8000- 23542300x800000000000000017849Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:31.537{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34CE353E91C6D2FFF54A5307CB1FCD12,SHA256=F1FF533D0934594D7FF559FF3C374592A781B0ED8A9DBAD282AA072C0690CFE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033674Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:31.337{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC19341708B61F9FA357979DB5D8B4CB,SHA256=0931BD246E45D2C1954266422551607F1A5A6B34758B9E8B5FDA9382E4FC8C5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017851Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:32.584{49C67628-FDEB-615B-1100-00000000FC01}964NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=68026C0CDAF2B1B878DFEDC6C82F5324,SHA256=ADE88583BFBCD0DBC1F6618DFCB79507539BFB170D8DE9F51E889BE91B1D82E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017850Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:32.553{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A071C633E4FF84CD8B28AFA2F63C068,SHA256=E16D3811B72ADCAD977EDD70B8B06449AE41B88562D84ED4A6E0B99B9AB24441,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033675Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:32.353{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7DF33DF945D3B1C33E3BE106C57C70D,SHA256=39BC179A44A7AA0CA13F3F8A514E8F1123225FB503A48B62519B4DE1CD52B80F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017853Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:33.555{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63E0D01AB4437DFC4014D616173C99F2,SHA256=ED0943167983209BEFB191B1FEA4FD46BC68C9EBF1C78A17EDC8139EA233F175,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033676Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:33.368{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5E9D6F1157091896E404AFA8BFF1715,SHA256=E9C9B4C22CF3AC6F705D8453B276236E1A1CB2E36AB3B98B1A46FD07D3CF46CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017852Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:31.320{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50604-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033678Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:34.368{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DE798380F4EFB25FE7CC7967E0A7C2A,SHA256=E98077BF3E59B125D22F8D2005074151603A3915A35A438CAA328B930721D237,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017854Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:34.569{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=271DF36E935C437ACA17D4DF1BEFCD60,SHA256=E0BFA55209275C0594357D85CC5E4CC61EF06145B0ADFAF034B48CBE00D24749,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033677Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:32.716{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52366-false10.0.1.12-8000- 23542300x800000000000000017855Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:35.569{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFD28C54DBF0FA8ABDC00071D8F9F32C,SHA256=48D18A8E0162E6E04ACA11B0F4876C9AE63237FD8A994D1C6B9228E9E627E8A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033679Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:35.368{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9288582B5B46087AA51FB7B429272061,SHA256=B24802B6652EBF87BB2B2EDACD47D80B3240B1EC71C51A9D703391368D06258F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017856Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:36.584{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C565A73E7601A392E3EF5FD916D142CD,SHA256=8AB6B593615D530C6FCC993A1914FBE5806C871DA0DF580447A9B1D13ACB6940,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033680Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:36.368{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D0591F7E10C243D573E06D919A73FC3,SHA256=17603CDA404A1B3B37B8DBDF977D90F0F1394A43CB2EC846C8868B2A88BF078E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017857Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:37.803{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCED4885AE960CD9E9EF1C75CECDEBCA,SHA256=F7322CC83E8D8E1B9D9CC4C6BCA654CEB8443C3FAEB7F972C8CFEFA15623C7D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033681Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:37.384{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23ADCFB8293A4D82470D12710C5C0431,SHA256=EA7DF985C8437FE14AF5BC9FF767A68ACF0E82E0D31A1135FE378E3BAAB6394F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017859Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:38.959{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F0525C0B2BD1B0F65BAB90A6EE75C5E,SHA256=588005709D8A8800F8AA4C888E86A1C44E7B0E7BDF3A64D1BD1353B9A341F255,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033682Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:38.399{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEDBB2A9A2C6D6D0CCDBD6CABD0E7E80,SHA256=5755B6ABCB5D38F94DA72B2232BA3C1E708F2D499855FDD6574A59E2E27504A5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017858Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:37.320{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50605-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000033693Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:39.649{6EDEAD03-0FC3-615C-CC06-00000000FB01}4120292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000033692Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:37.794{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52367-false10.0.1.12-8000- 10341000x800000000000000033691Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:39.478{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-0FC3-615C-CC06-00000000FB01}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033690Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:39.478{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033689Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:39.478{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033688Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:39.478{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033687Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:39.478{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033686Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:39.478{6EDEAD03-FC1A-615B-0500-00000000FB01}412428C:\Windows\system32\csrss.exe{6EDEAD03-0FC3-615C-CC06-00000000FB01}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033685Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:39.478{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-0FC3-615C-CC06-00000000FB01}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033684Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:39.478{6EDEAD03-0FC3-615C-CC06-00000000FB01}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033683Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:39.399{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13285AD668212F165E662F6A87C06F77,SHA256=1CAD3E8231D9A5C1161DE288B1F606927751D58F0F93729F0A3EBB8E86CE342A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033713Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:40.826{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-0FC4-615C-CE06-00000000FB01}5352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033712Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:40.826{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033711Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:40.826{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033710Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:40.826{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033709Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:40.826{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033708Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:40.826{6EDEAD03-FC1A-615B-0500-00000000FB01}4122304C:\Windows\system32\csrss.exe{6EDEAD03-0FC4-615C-CE06-00000000FB01}5352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033707Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:40.826{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-0FC4-615C-CE06-00000000FB01}5352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033706Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:40.827{6EDEAD03-0FC4-615C-CE06-00000000FB01}5352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033705Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:40.498{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E563F993023AD5D8C1FA650E607B4AA5,SHA256=27B1DFF35DCA9D1A31462707A793F587E1F23DD5B3CAAE8D8F1C6E99AA4B5561,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033704Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:40.498{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D27DED1119387E74B27384F8C804A7C,SHA256=4D4074E768E21A948C712B5D7AD03598F871D77FD57F6D2678CA51B458C39073,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033703Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:40.404{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91C4B39C97AE1BCB2F6BB28600EB5F87,SHA256=9BB367F1D172D384FF448E4B50C26C6C1441ED73516F6512BAE65B21B953107B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017860Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:40.197{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7454F0E04FC796EE18FA06F614A2050C,SHA256=D8020FB69B8702D153AEFADC438B836FED840993D30C7A2A79564D5EFDF8365F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033702Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:40.154{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-0FC4-615C-CD06-00000000FB01}5616C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033701Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:40.154{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033700Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:40.154{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033699Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:40.154{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033698Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:40.154{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033697Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:40.154{6EDEAD03-FC1A-615B-0500-00000000FB01}412528C:\Windows\system32\csrss.exe{6EDEAD03-0FC4-615C-CD06-00000000FB01}5616C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033696Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:40.154{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-0FC4-615C-CD06-00000000FB01}5616C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033695Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:40.155{6EDEAD03-0FC4-615C-CD06-00000000FB01}5616C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033694Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:40.014{6EDEAD03-FCBF-615B-AF00-00000000FB01}416NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=77A3FAE6E3D081057742F67BE17D48F0,SHA256=B45196262D41012541FDA928C2D6D89C531ACA10A8054FE8E2047913CDE27561,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017861Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:41.259{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD2E7006CBF07EF6EAC72BCF9C1EA50F,SHA256=E5DCB672E74E6A481F8BA008B504BEF58EA88105ADE626B4EADBE7F043EE5FDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033715Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:41.826{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E563F993023AD5D8C1FA650E607B4AA5,SHA256=27B1DFF35DCA9D1A31462707A793F587E1F23DD5B3CAAE8D8F1C6E99AA4B5561,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033714Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:41.420{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E896E106B940AD844C6F2D9FF16D591,SHA256=EE8AB537B49AF70AF376E335F9AA569EB29D12B820F7CCF82FEB8EE24686D096,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017862Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:42.353{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A03F7303C9637F486E3B7F53FF690587,SHA256=53B4A084662497ADF051ACB68E6FAF4B99F060660EA4F26F5F4CE44093A926CD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033726Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:42.670{6EDEAD03-0FC6-615C-CF06-00000000FB01}13244552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033725Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:42.482{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-0FC6-615C-CF06-00000000FB01}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033724Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:42.482{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033723Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:42.482{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033722Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:42.482{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033721Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:42.482{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033720Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:42.482{6EDEAD03-FC1A-615B-0500-00000000FB01}4122304C:\Windows\system32\csrss.exe{6EDEAD03-0FC6-615C-CF06-00000000FB01}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033719Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:42.482{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-0FC6-615C-CF06-00000000FB01}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033718Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:42.483{6EDEAD03-0FC6-615C-CF06-00000000FB01}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033717Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:42.436{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EACB9898EC37664A1CC2E61BF716FD71,SHA256=2394F684A63C08391ABE764C93BCD2B45BF2EC56C473E2C3B5235A41B6D1BC35,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033716Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:39.596{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52368-false10.0.1.12-8089- 10341000x800000000000000017876Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:43.978{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-0FC7-615C-EC02-00000000FC01}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017875Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:43.978{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017874Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:43.978{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017873Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:43.978{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017872Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:43.978{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017871Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:43.978{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017870Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:43.978{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017869Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:43.978{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017868Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:43.978{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017867Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:43.978{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017866Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:43.978{49C67628-FDEB-615B-0500-00000000FC01}416432C:\Windows\system32\csrss.exe{49C67628-0FC7-615C-EC02-00000000FC01}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000017865Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:43.978{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-0FC7-615C-EC02-00000000FC01}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000017864Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:43.979{49C67628-0FC7-615C-EC02-00000000FC01}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017863Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:43.541{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59FACA7098B52A9AB7AC18846614B1EC,SHA256=DAC05C7CE0BB3BFB3235142C9CD054087817918395A535770B25636C2DD31F10,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033746Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:43.795{6EDEAD03-0FC7-615C-D106-00000000FB01}53045504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033745Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:43.654{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-0FC7-615C-D106-00000000FB01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033744Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:43.654{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033743Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:43.654{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033742Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:43.654{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033741Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:43.654{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033740Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:43.654{6EDEAD03-FC1A-615B-0500-00000000FB01}412528C:\Windows\system32\csrss.exe{6EDEAD03-0FC7-615C-D106-00000000FB01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033739Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:43.654{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-0FC7-615C-D106-00000000FB01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033738Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:43.656{6EDEAD03-0FC7-615C-D106-00000000FB01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033737Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:43.498{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=07CB02F87B45AB330D61C6BB9BC3371A,SHA256=59ACE7586AA5463B6C2FC127A458A3879462506BB427B0C2BB9D9331DBBAA730,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033736Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:43.436{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AF13462BF9B033767990895306BC6CA,SHA256=99140356EAF6E30A7D447C8825EAF09B5D049263FBF12AAF5AB7867634B64038,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033735Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:43.311{6EDEAD03-0FC7-615C-D006-00000000FB01}53405992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033734Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:43.154{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-0FC7-615C-D006-00000000FB01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033733Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:43.154{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033732Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:43.154{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033731Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:43.154{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033730Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:43.154{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033729Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:43.154{6EDEAD03-FC1A-615B-0500-00000000FB01}412528C:\Windows\system32\csrss.exe{6EDEAD03-0FC7-615C-D006-00000000FB01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033728Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:43.154{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-0FC7-615C-D006-00000000FB01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033727Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:43.155{6EDEAD03-0FC7-615C-D006-00000000FB01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000017892Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:43.245{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50606-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017891Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:44.650{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23951E72AEAD9630FCBFC4EC8D9DD846,SHA256=5F2DC7E7D910CA780E67495A4116E3935179E30A05689DCFC8B753AF33C01423,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017890Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:44.650{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-0FC8-615C-ED02-00000000FC01}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017889Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:44.650{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017888Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:44.650{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017887Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:44.650{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017886Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:44.650{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017885Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:44.650{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017884Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:44.650{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017883Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:44.650{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017882Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:44.650{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017881Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:44.650{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017880Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:44.650{49C67628-FDEB-615B-0500-00000000FC01}416432C:\Windows\system32\csrss.exe{49C67628-0FC8-615C-ED02-00000000FC01}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000017879Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:44.650{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-0FC8-615C-ED02-00000000FC01}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000017878Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:44.651{49C67628-0FC8-615C-ED02-00000000FC01}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033756Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:44.654{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE4618DDAAA668DB0DBC1B8D74B05DDE,SHA256=104DC5626D8EEDE091533588A4506EDB99F455A7CC8F88B88FB57A2238C11F8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033755Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:44.451{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC5E8904A28E8BE82ABA894ACFE1FFB9,SHA256=A8CE3E012900263840E2A2856BBA988BBB7A9E22F7755153F628CB2F1A0F6B47,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017877Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:44.134{49C67628-0FC7-615C-EC02-00000000FC01}13883580C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033754Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:44.326{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-0FC8-615C-D206-00000000FB01}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033753Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:44.326{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033752Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:44.326{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033751Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:44.326{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033750Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:44.326{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033749Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:44.326{6EDEAD03-FC1A-615B-0500-00000000FB01}412528C:\Windows\system32\csrss.exe{6EDEAD03-0FC8-615C-D206-00000000FB01}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033748Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:44.326{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-0FC8-615C-D206-00000000FB01}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033747Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:44.327{6EDEAD03-0FC8-615C-D206-00000000FB01}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033757Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:45.467{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=844DAD1970B74CB2A91424EC11FB541A,SHA256=B552D68E0F6986DC7353A4A49B46D740A39FB7FBC1086DEF9927EFB6356FD593,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017907Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:45.322{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-0FC9-615C-EE02-00000000FC01}4056C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017906Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:45.322{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017905Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:45.322{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017904Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:45.322{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017903Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:45.322{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017902Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:45.322{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017901Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:45.322{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017900Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:45.322{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017899Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:45.322{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017898Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:45.322{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017897Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:45.322{49C67628-FDEB-615B-0500-00000000FC01}416432C:\Windows\system32\csrss.exe{49C67628-0FC9-615C-EE02-00000000FC01}4056C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000017896Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:45.322{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-0FC9-615C-EE02-00000000FC01}4056C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000017895Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:45.322{49C67628-0FC9-615C-EE02-00000000FC01}4056C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017894Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:45.009{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6F3622575F9BE32DA782B63F66B3424E,SHA256=9E56DD704AE8685D4BA5B4C8A8ABFF211728C33AC858378FB457B59F01643DE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017893Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:45.009{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E0F37B25E3E35EA82171143FADC0D98D,SHA256=8692A9372FB010897BB9EB8654792F6F179880070D0AAED184118CE2EB618779,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033759Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:43.705{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52369-false10.0.1.12-8000- 23542300x800000000000000033758Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:46.482{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54712A54F306CD57122FDEEC8838FCDC,SHA256=A565F3628CAFBF3577A0CACD8E2E9496871BA38CFC2850971CE6FDAF418505CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017923Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:46.572{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6F3622575F9BE32DA782B63F66B3424E,SHA256=9E56DD704AE8685D4BA5B4C8A8ABFF211728C33AC858378FB457B59F01643DE3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017922Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:46.322{49C67628-0FCA-615C-EF02-00000000FC01}10403304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017921Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:46.166{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-0FCA-615C-EF02-00000000FC01}1040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017920Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:46.166{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017919Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:46.166{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017918Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:46.166{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017917Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:46.166{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017916Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:46.166{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017915Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:46.166{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017914Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:46.166{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017913Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:46.166{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017912Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:46.166{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017911Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:46.166{49C67628-FDEB-615B-0500-00000000FC01}4161032C:\Windows\system32\csrss.exe{49C67628-0FCA-615C-EF02-00000000FC01}1040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000017910Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:46.166{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-0FCA-615C-EF02-00000000FC01}1040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000017909Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:46.168{49C67628-0FCA-615C-EF02-00000000FC01}1040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017908Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:46.166{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C85CCD1ED1AF96D793A08D227F9474F3,SHA256=5A5EF8C2E07DF20C20E4459CE4BAF63C9795BF284CFE68377CBB6F5608068896,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000033770Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 08:41:47.654{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000033769Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 08:41:47.654{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x004cf700) 13241300x800000000000000033768Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 08:41:47.654{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b9bc-0x735ba3c7) 13241300x800000000000000033767Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 08:41:47.654{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b9c4-0xd5200bc7) 13241300x800000000000000033766Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 08:41:47.654{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b9cd-0x36e473c7) 13241300x800000000000000033765Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 08:41:47.654{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000033764Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 08:41:47.654{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x004cf700) 13241300x800000000000000033763Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 08:41:47.654{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b9bc-0x735ba3c7) 13241300x800000000000000033762Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 08:41:47.654{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b9c4-0xd5200bc7) 13241300x800000000000000033761Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 08:41:47.654{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b9cd-0x36e473c7) 23542300x800000000000000033760Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:47.482{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12C8294A2C035170B5F94733EB4B8A63,SHA256=B12EF12F1540FD78A66BF5008FB040F955755B261054C7A08B8EDDB736FFD7F0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017936Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:47.994{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017935Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:47.994{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017934Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:47.994{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017933Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:47.994{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017932Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:47.994{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017931Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:47.994{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017930Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:47.994{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017929Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:47.994{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017928Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:47.994{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017927Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:47.994{49C67628-FDEB-615B-0500-00000000FC01}4161032C:\Windows\system32\csrss.exe{49C67628-0FCB-615C-F002-00000000FC01}1368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000017926Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:47.994{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-0FCB-615C-F002-00000000FC01}1368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000017925Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:47.994{49C67628-0FCB-615C-F002-00000000FC01}1368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017924Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:47.353{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E976968F1620BF8AE76179D4C7ED2EB0,SHA256=71A119F9D99C648FC9CE7D9C39DC064A1BC03C1C1BC93F02E8D8B3AE3EF2F6D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033772Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:48.967{6EDEAD03-FC1B-615B-0B00-00000000FB01}6364472C:\Windows\system32\lsass.exe{6EDEAD03-FC18-615B-0100-00000000FB01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x800000000000000033771Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:48.482{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC7112C5F96FEF7B541AF6B2E2F7A45C,SHA256=4BEDFFE49D934364A79538083B163E74962A8DF65E5DC5B6C0DC0BEE15B624E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017955Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:48.994{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8128ED7BF140416FB9F8E552817C5AB5,SHA256=A0C2B2CDE9B28EF47E0A2528BC5CDA066130D28F74EC5F8CE49D844F154DE03E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017954Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:48.697{49C67628-0FCC-615C-F102-00000000FC01}28681120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017953Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:48.556{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-0FCC-615C-F102-00000000FC01}2868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017952Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:48.556{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017951Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:48.556{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017950Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:48.556{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017949Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:48.556{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017948Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:48.556{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017947Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:48.556{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017946Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:48.556{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017945Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:48.556{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017944Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:48.556{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017943Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:48.556{49C67628-FDEB-615B-0500-00000000FC01}4161032C:\Windows\system32\csrss.exe{49C67628-0FCC-615C-F102-00000000FC01}2868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000017942Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:48.556{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-0FCC-615C-F102-00000000FC01}2868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000017941Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:48.558{49C67628-0FCC-615C-F102-00000000FC01}2868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017940Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:48.384{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A9F3632B585E4CC691C7BFE6807B2BC,SHA256=BBC06F7FD38D60C86E546C9E3523472C21F790626800F8729BBDAA68AD117241,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017939Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:48.275{49C67628-FE68-615B-9F00-00000000FC01}1772NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=77A3FAE6E3D081057742F67BE17D48F0,SHA256=B45196262D41012541FDA928C2D6D89C531ACA10A8054FE8E2047913CDE27561,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017938Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:48.167{49C67628-0FCB-615C-F002-00000000FC01}13683832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017937Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:47.994{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-0FCB-615C-F002-00000000FC01}1368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000017969Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:49.541{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34F67A808175139074DB5E5A1B040AAA,SHA256=57AAC2262825AEF9FB7C1F83AF26F127215764E971F94DDF9EE0B77C8AEAE04E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033775Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:49.967{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=147B087D31551A13260EEEBAF9CAAFFF,SHA256=8958BE26CF65770738FEC92B3C49CAD1E6FE1A2699384565A51A77DE343EE069,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033774Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:49.967{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB7A3B586D871A14A125CFF4B3568B5F,SHA256=7E6EB267FAFB0A84134B38D1A173B27E0D6E471B188A4E303C830FA76A8D3C48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033773Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:49.482{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D584025FA220012D8D94F45DAF2404C,SHA256=92B05420567554B318C0055347A9D95A4CC8C99F74A1F26AB17E6FF793BF0683,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017968Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:49.181{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-0FCD-615C-F202-00000000FC01}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017967Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:49.181{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017966Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:49.181{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017965Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:49.181{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017964Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:49.181{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017963Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:49.181{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017962Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:49.181{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017961Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:49.181{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017960Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:49.181{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017959Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:49.181{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017958Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:49.181{49C67628-FDEB-615B-0500-00000000FC01}416432C:\Windows\system32\csrss.exe{49C67628-0FCD-615C-F202-00000000FC01}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000017957Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:49.181{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-0FCD-615C-F202-00000000FC01}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000017956Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:49.182{49C67628-0FCD-615C-F202-00000000FC01}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017972Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:50.556{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EB06F52EFE60DA130C2677A3EEBFB50,SHA256=16DE18565B0930394CDB116299BB9B3FBAD6EE4F1AAC3BC4493BB0ADBEB1BD78,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033783Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:48.568{6EDEAD03-FC18-615B-0100-00000000FB01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local52372-truefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local445microsoft-ds 354300x800000000000000033782Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:48.568{6EDEAD03-FC18-615B-0100-00000000FB01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local52372-truefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local445microsoft-ds 354300x800000000000000033781Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:48.466{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-676.attackrange.local52371-false10.0.1.14win-dc-676.attackrange.local389ldap 354300x800000000000000033780Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:48.466{6EDEAD03-FC1D-615B-1600-00000000FB01}1288C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52371-false10.0.1.14win-dc-676.attackrange.local389ldap 354300x800000000000000033779Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:48.458{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local52370-truefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local389ldap 354300x800000000000000033778Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:48.458{6EDEAD03-FC1D-615B-1600-00000000FB01}1288C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local52370-truefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local389ldap 23542300x800000000000000033777Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:50.826{6EDEAD03-FC1D-615B-1200-00000000FB01}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=A134BCCFCF8E8A87C0A52DE4F30692E6,SHA256=FDB1A9E888BD916206C77EB1E433CBCA390021B31DBA41AFE424C615ACEB3767,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033776Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:50.482{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDEB81D6A683288D3C10ECE7C7A743C6,SHA256=A538957A00D636383B8F4300964835E13A7EE0C3F3E106D8B669BB16334E059F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017971Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:50.197{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=556E9DD704A740995AE397154800B042,SHA256=727DB7E2BE24A107EF4A9B739D7254CAC7B3FFC2754DF7BBE06CB5D953F56145,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017970Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:48.323{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50607-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000017974Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:51.728{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FDEE8A2575299352D26CB8E9301B85F,SHA256=188FF0DB87C8D7D03C980E4C7BB26B6A15794301FA0789D60014881DEE376028,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033785Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:49.643{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52373-false10.0.1.12-8000- 23542300x800000000000000033784Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:51.498{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=129E3473CC67EBAF5A8FE3B04F7506FA,SHA256=D488AAC1BDC28CEE85E457F0129453B3B19CECCD6D38C62485F8FE4C4851C00D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017973Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:49.216{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50608-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017975Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:52.962{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F40BA9AE99BAC6DC4793D5A8F4F5199E,SHA256=58F92E1F4608AB9DA46A1266F2AD4299E4132526770CBEB909B60EDB6695F94D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033786Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:52.732{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD73653B2268701C5D6349E0BD68F270,SHA256=8A8C99FEE836DCFE0A25D902AEBDC1685163290936FFF40B32102F2B6D696EB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033787Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:53.748{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EA9BE42BB3D867271A6F500B5A12ED7,SHA256=B512487CB24AAFC8F29574DFDB51B056BCF21BE72D3E30F4489367F8F52FE2FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033788Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:54.764{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=705536F388A706B8D4DE156EEFB43B05,SHA256=76F7A41FA9C093F14EF41A8143905B68E4ECF13871619A066173A23FA4A9864F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017976Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:54.041{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32F03F6D2014CAC491B91E6BF5E592DF,SHA256=9B17EC9FB43608B730C8D84AE70FFC85F315C6AE9AB9E6AF3F41AA814B39B33D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033789Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:55.779{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E8EC0C9FF3C390DF04E5A586BFE83CD,SHA256=99959285A88605CD29E56C661A0E8E684122E4466D6C1A2F6E33B78D7075D173,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017977Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:55.103{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEAA5E130A06E4514E6573C96FFC6438,SHA256=B1F6AC1692015BE69E2DF7B0CEC904D991C1878433AE8101BE78B50D76B32F44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033790Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:56.826{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2517B97A7E5873ACA9F10565FF3B5D1,SHA256=9700645C89D30E105422C36C36255CE15F4E44E2C46B7B175944256AD8E746AE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017979Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:55.213{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50609-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017978Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:56.259{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=705B912DF798C52830E5E995C9E7A3A0,SHA256=AFF3F02EC06C94C658EDF55DBB1890EF17093EE3515289DB36E5555DF3D0536A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033792Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:55.643{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52374-false10.0.1.12-8000- 23542300x800000000000000033791Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:57.826{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B158B3D743D58EFF14BE59CF0E635AAD,SHA256=E3E0429AAD6ECEF1C64BF583BD3937FCF781C20D7B4646084CDBB005C8474132,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017980Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:57.384{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A8A99B1E999F6E0ED7BC1E06ED4A6A0,SHA256=67112BBCB811BF48F2084DBD4897C8141B421A7DFEE1D6E54EE7041A2FD6E3A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033793Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:58.842{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F556576935C6B70C2A38F18696A83DD,SHA256=6DFDAB8DE43EF648B7939BCB7ADE5FC04A93BE91643353F470F693A74DE4BB43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017981Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:58.619{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D209EBA49E854371EA14EB885978B034,SHA256=42DF83874809B909DF66E54F8E5BBDF5CFB3E6E39CED3E38A4CE5C2E0865631C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033794Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:41:59.887{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=162B95932A282DC28C9D467E8EE97D0F,SHA256=64E002C19FD80DF873B350CE3F002AD487B0075417D7744ED34DB7AA812B9E34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017982Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:41:59.665{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B73347AC59C6849267D01C76D2E5D1C5,SHA256=54F818790FB8EDF2AFDAA92D68AEC6F8AF54CA3737527B92A22311B2F9FA9A2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017983Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:00.711{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DDBE631ABA9F8E03CF2837A21880D33,SHA256=56E75162AD1A48E1D4B22AED0F967F1E81A27BAFC2432655E86CE8076AFE2820,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033796Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:00.762{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5FF6CD00DE83E77CE4B05AEEA6A5C165,SHA256=C962611337AD38A42B4E98B40190804BE0129C03189416BB4181120160EF9F3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033795Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:00.762{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=147B087D31551A13260EEEBAF9CAAFFF,SHA256=8958BE26CF65770738FEC92B3C49CAD1E6FE1A2699384565A51A77DE343EE069,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017984Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:01.805{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0AFFEE73505212D9EAEEF48F6D6E250,SHA256=EAB2DA98B927B6FEF050BA8B2D25F6C02E1358B9B642CCCF5BA92AEF2F37AA24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033797Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:01.121{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5C941402C59331A14E0F198BA73A931,SHA256=640FE94A6682B5D7FC5F940E74E259E2178163380377847D20B5902A5E850302,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017986Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:02.820{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B11CC06055298A70E2519257C6D9B962,SHA256=905CD317479A51A34B10FE889C1772B4531C9076CE17687C2D4FC3307D7A4788,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033798Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:02.356{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08A069FBA8CD2916742B556671E50361,SHA256=17BDD8A5F876228EA6D75213AFAD4E4BEFD5C8E380AE5B08735CCAE8FEDCC459,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017985Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:00.275{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50610-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017987Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:03.836{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0400C49EA030A86CCB987C9DDDA46201,SHA256=A0B2FE691B010D8BC40E63A3D1439F899CD0C500EC83C899A78F3C15F7A7FFD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033800Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:03.387{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D49474B6CA5BF24C4F6B0A9A90B9129B,SHA256=5752F033D292A59A0121ED003C407AEA1F8261DF1B9F9601D4B6721EAA6C61FA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033799Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:00.797{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52375-false10.0.1.12-8000- 23542300x800000000000000017988Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:04.851{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68038936A7CAF2F039625E23C038205E,SHA256=466C3DFE6A51019E8EBBDDFF196EB336AA4BC540FE89878BF0110C49B3BB6EFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033801Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:04.403{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B1B58B704CC38D094A76F9BA09D0D72,SHA256=FBE95697CFBB7B9FE5E58ABAEE80308D3685504B97F7C21245A917E777D72E5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017989Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:05.867{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EC6AD5B284BC3E80E868051EC61E76B,SHA256=F1F12BCE92BF82D67DB8C53E3C682CEA5A779A550846D6ED8AA20622A1299063,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033802Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:05.418{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=320F30595541EF3FA13172D7697A0980,SHA256=8846A6AE8EED9DCDCF44CA49B0BA4790E6B7207A4B291338FB311D0F04A54F36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017990Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:06.867{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6465214297A8EE20E574630A230C11C,SHA256=4306E994DA990308B6E30861C1FA73ACF12BA11E642EE866D8D1E44185CD8342,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033803Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:06.450{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A63E4EC346FD7210D5B01D4276F965B6,SHA256=00B2F02868EB697AF02FB7F2ED0F3536437C84C950ACA51A995D4E340F4A4315,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017991Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:07.976{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45C7DDBBE29386454943F1D14A798015,SHA256=6F0E095D11B58159AAFAD83C5C81FD3FC95B746014268AF93237B8C16C9B7465,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033804Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:07.481{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=640E18A0B260525D461F04FDF3FE88FB,SHA256=99FF9A11885BF945ED8EDDBEFEA998F6DA0264F7278993197A09ED0CC521F915,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033805Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:08.481{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B1C180C98D74CB3B88D94C01BC8F8CE,SHA256=1BA18C39307CA57251EB93AB5918FBAB05E1BB48B7A85EE64C880CB0E1E683CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017992Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:06.196{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50611-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033808Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:09.526{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D66D8D81885749F0207675745C8EBC29,SHA256=AA95F1365A8251D73A4A2250D141F9AA2F2817867EF64E4294B3ADBFEDB8406B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017993Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:09.117{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCA1A340ADBD3D2B9EF0223125DBA55B,SHA256=BC72A67F7F71E217DAEB36684F4E668F2E38574A4FF525B55658FB23807A8010,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033807Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:09.297{6EDEAD03-FC2A-615B-3000-00000000FB01}2280NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00ade5b11017bd16f\channels\health\respondent-20211005071805-081MD5=AA6F78CCC35FD74424B933C975A9F779,SHA256=482DFC86E7C4A11E76E3E352EB64B396C84C083D9F57F37823883232EC55A225,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033806Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:06.782{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52376-false10.0.1.12-8000- 23542300x800000000000000033810Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:10.540{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38B23810FF643E0F90E22F05488188FB,SHA256=808DD98BEDCA959C836AA1C79838B644BEACF4B6811F32B65328B8853ADD5692,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017994Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:10.148{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AC3368C9C6C0D1F40A58632BEE51F62,SHA256=6034AE9D4EAF3E6BEE085E49FCF49D4F10E68C64C3B42D17E971CF0AC54E26BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033809Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:10.308{6EDEAD03-FC2A-615B-3000-00000000FB01}2280NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00ade5b11017bd16f\channels\health\surveyor-20211005071802-082MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017995Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:11.383{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A9ED3D17F4190DD98FEBA8A27E460B3,SHA256=9628C5B6A8AF30F1B7249447C978036CCCA6A57B39C946D361CEAE40D3EA6BFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033811Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:11.559{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BC8E482BF79E6ED91F74C8965189F86,SHA256=1B0A0E978C76A893266B764CCE63E360BAA496CF8C5A54D49CDA0E03C04FA4C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017996Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:12.523{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=933357EFB0F45762CAE6615A44CC93CA,SHA256=E05179BAAC5F4A0E04FE5DAECB7E971A19D18F6441D9903806335A75E271635B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033812Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:12.574{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7193B614CCA96E0B0659FE90A29B071D,SHA256=1BEB427260A58CDFC4E7336413055080D03E577A174AD0B4E72D37B07C91DCC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017997Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:13.601{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C3A15AB0A5CE99FE16F0D3B5F595A79,SHA256=CA5ADC5B9C6C30FB079D167A1835CC64EEB5DF3C0C05C522E22598AB262DB015,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033813Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:13.605{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A47B5717E25494425E55FBED58C992A,SHA256=B9D6507D9D99E54EAEEEAEE36FF6B5773F36ECC0CEC2DC0CA1A3C263441EBBFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017999Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:14.820{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3D53FEFCF0243160C8EA26085F76873,SHA256=9F2916CC62F1C74CF7F62601968A1A6B3F1328862310339C77915D0810B417F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033814Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:14.621{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=443854DE1F4C1F84955C6D9982618661,SHA256=1B7F5CDC7D59263D352ABA43FD51ABF8B91BF32C28A88769743F1E4DC130E613,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017998Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:12.149{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50612-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000018000Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:15.930{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A49D9D32BED059373908EDA5A83AC5A9,SHA256=11532FBF8F6CA589D7766902D12620D51C842E4EBFD8ABA7A3D25E3277F0F5AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033816Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:15.637{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39404F2D18C5CA720A8FDEB1646B4133,SHA256=CDC387C433F2B8350DC86E4D3613A82A649096D123E1B1623F4034464BAE7BAF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033815Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:12.813{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52377-false10.0.1.12-8000- 23542300x800000000000000018001Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:16.930{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC570F561DE1CEDF96525FD4D46BB4D3,SHA256=E126253DC6B21995580C74A654626011DAB48821222081DC75B848A113E10FBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033817Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:16.652{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4B47637AA6119D319F058CE3A7E4E1F,SHA256=679F25A804BFCA1D575D4B578600BAAA2EACC37AEDA7309E506CA42DB90C5051,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018002Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:17.945{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0012C1939775B292E5002302B42FBC20,SHA256=4DD2400C3BC855D3122E9D84DF0E706118EAF90064DFCB1B573A7FEE6CCFA17D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033820Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:17.902{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4E4CBA5AE013A304EB2AFEA7087E3690,SHA256=511793000839C9E92B217A8A55EC56FD2EE38C40C26C94576EAA1B0EEF470728,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033819Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:17.902{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5FF6CD00DE83E77CE4B05AEEA6A5C165,SHA256=C962611337AD38A42B4E98B40190804BE0129C03189416BB4181120160EF9F3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033818Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:17.652{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF22C87740E9BAFA6D2CF416190AE6EC,SHA256=20F370AED9847F4AA0F92D7D7A70E2BB7E99114C0262CE55BCEE13483B9AD61E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018003Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:18.945{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5B57AA4A389A7FFF291D8BF8C6F1E02,SHA256=936AB440EDBDC55E6450AA204A678142BB3C7C00F0985DDDAE74BFD89CB69DCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033823Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:18.684{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BDA31A2D04EB5F467D0C5D9D2C5F329,SHA256=B7F62BC570AA47E3F7E744ADCB2AAFC86DE22907B405E883AB0D38BC62D5B99A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033822Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:16.438{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local52378-true0:0:0:0:0:0:0:1win-dc-676.attackrange.local389ldap 354300x800000000000000033821Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:16.438{6EDEAD03-FC2A-615B-2900-00000000FB01}2912C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local52378-true0:0:0:0:0:0:0:1win-dc-676.attackrange.local389ldap 23542300x800000000000000033824Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:19.730{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E16CF819C04517C35713616FCBB7CE3A,SHA256=9C61D8AED98239AF62B26AB984A618D23E5AB87B76804DB974F48011BBF9987F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033825Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:20.761{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6D4C66898DAA008B661179F74F939FB,SHA256=D0B40CC84673FDAE9E8F59D858EBDB11FF76813ECEB0F1FA3F908851DD6212D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018005Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:18.150{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50613-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000018004Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:20.179{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B573BB221699EEFACC0237BA54E2B80E,SHA256=DFD88C3CE824CA81D0F73CE23932F16DDA191FA1E95E6BE398965DD1F56F7884,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033827Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:21.777{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0105889F431FB75E29F657874D8ED34,SHA256=8F87B85996576372AA5A5858CE6EC738DFDAAE6C4D705ACA586CE4968D9631A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018006Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:21.304{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05CBA664D69E4A908B180CC3A9BEF83F,SHA256=A85AC00A7FE222659E0F97F3301A971C063F335146DF895D2138B637C8EB4195,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033826Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:18.752{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52379-false10.0.1.12-8000- 23542300x800000000000000033828Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:22.777{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25EEB780A88C4747F1670D505D5380F0,SHA256=E22A6C4B0960ED5821C3E1E47B6A136D269AFFF3CCE835E819A11EEB0FD17EE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018007Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:22.538{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20677A1A2A136EE6CF1D9DCB61BF80D2,SHA256=0F70000E0661B6B9F5F89BD24614BF5386B1B2EB605B43C21E74DDE45D0B1EA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018008Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:23.726{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1122533427F198E171AF1285C43E77E,SHA256=F0911E0BA9C8F64493DE1AE65017D35144F076A0FC985AD7CD95CBD9863F2798,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033829Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:23.792{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81BEB90B1B3658C4BC9044B1130ED404,SHA256=2135EE8D9FB2CCFF7D12AE87234B6113CF6CFA3A79F15529238A96B1AF78D014,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018009Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:24.866{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AFA26409E40C8476498F439B7D4DA72,SHA256=D8C8E30A71055EFD7DB2806A5F1C29C979173C437D6E1C80FF7D36C1F8B02229,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033830Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:24.808{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A91CBD4B7C359B28A5CFBECAF7939E0E,SHA256=CA05A8DE167EB516CBA1FEEA9E82E4F93493110D926659A921F9BE3D49E3EB57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033831Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:25.824{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF5020C9186680B01364E7FDCCF8E47B,SHA256=8DA5CF9C526F0B826C9ED416EE0B32D33A79A2FA794051C776A3B097B7078FEF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018010Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:23.258{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50614-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033833Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:26.824{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F6DD9E98D1177901F63BB7F2E359D44,SHA256=4A3408E9BD9CCEC1340B106FD692092CF00A10588342085CB686B0AF87BEDA2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018011Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:26.007{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA1F8752FE60B897F9A23A359BF2E437,SHA256=E886FAD3659402E19042E23170B0AEAC7702EE5C7E8CE0E3E056075F962F5BCA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033832Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:24.718{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52380-false10.0.1.12-8000- 23542300x800000000000000033834Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:27.839{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FACAAD2D83B0736A5474D59EACC06017,SHA256=6D17958E9E32125D101609D649BC3249DC29E112780792CD96BB8EDA0E0CB24B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018013Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:27.933{49C67628-FDEC-615B-1F00-00000000FC01}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04b3958ebc31dc11b\channels\health\respondent-20211005072534-074MD5=9DBD3CF651CAD1963D7DD9E70795396E,SHA256=D00FE5240C0E39CC33FD8ADFFDA13197E8833401D0A3D05F731F6A79B8E00229,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018012Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:27.023{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=443634CEB800F0C9CB0FC911EAC5F58B,SHA256=A98D10202207EE353824EF8C48420283B47579919E9043044F95689519977DD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033835Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:28.839{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7227332A000DBD8DFC8BA0CF183534F9,SHA256=BFCE8D0F31A74F51068BB47DCB1BBCF63249D751646713AA19EBCD3AF7A867B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018015Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:28.931{49C67628-FDEC-615B-1F00-00000000FC01}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04b3958ebc31dc11b\channels\health\surveyor-20211005072532-075MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018014Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:28.024{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D45F51A08910F17A8BCD279E1BA301D6,SHA256=FB4B2AFA2525B3CAD19D1D96E16FF2B62D6CFB88FD79FE9855B47FED83EE18C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033836Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:29.839{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57598FFA89A1C17B9D012541F8FDA38D,SHA256=90B713EDCB6771CE1B4D6AF16A60545EAF10C53AD8EAADB2D5E1BDAF1AE6B4D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018016Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:29.241{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9CC4724239EFDEC45709AA40B719E9C,SHA256=B2E59119372AF5D727B6E24B5CFE5AD15ABCCCA8139ED2870D2FD27917A0D54A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033837Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:30.855{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBC34D707BACDE9213C5CE15FA87C1F3,SHA256=AFA0D298C68F6C72C8FF24F47751DA7B09E83344005865F0C7E4093998C3619A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018017Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:30.478{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=132A5AB273B6215A0A9C23929D2927D0,SHA256=6F12C57CC3EE8990509DFBFC10205EBBF88B6D67A0C16B7C20BB361B7DE798AE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018019Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:29.259{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50615-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000018018Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:31.478{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F683738F2BB194032CCD1E18B284F58,SHA256=E0B350B804413E8DDA7A19B31B8D806505157C9ABAA973DED39C08F212EE5B03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033838Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:31.855{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BA346113EFCDA86F1B8EEC7805FF689,SHA256=CC1B7B844862B781BEA15574F420A765109741998F18A335D974B6725964A92F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018021Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:32.697{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4692AFB2934144CC0E511489D975625,SHA256=A0D689BE873C2A4227AC4EB7ABBF462CD7556C5C9C7AFA4A8D6C6CAD39BF13A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033840Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:32.886{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25A9E186CD65B27606C9C0C8C8186036,SHA256=D946A5BD03BFEDB02FCC1D969A41FFE1BD0B8218A21B26AC7A75DE4870FD354D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018020Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:32.587{49C67628-FDEB-615B-1100-00000000FC01}964NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=6DE802FADD5BEE42590BB7CB46791867,SHA256=53C3C264C16EB56DB0CAA9016FC7222BDB4E2D088B3953C05CBFC893FD9587DE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033839Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:30.719{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52381-false10.0.1.12-8000- 23542300x800000000000000018022Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:33.712{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D404FF1568719C78D27B7F2811F271B3,SHA256=958FA26E7F009A7F65F13F753E2D53A6B2E008490E5A72D6013A813AE73C6003,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033841Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:33.933{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A497E90BB6AFF3D5175A63758CC247CB,SHA256=FCBF67DB18DAA5945F83DB861FA307C4ABA70744E40AFE3808BF509D687DBCEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033842Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:34.933{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=003EF37AFF898A10FC2BEE6B789853DD,SHA256=43DCE123CF01AC5AC85A2AB1F0CB3EA1A59521C539DEABC485236E16F10DF5B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018026Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:34.744{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F76F474D84AAB01C4D2E8E79A34899A,SHA256=E9882D6602F6526F3832669C237E163ABB3FCE05C2D892ADBCE3CFC59834DBCC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018025Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:34.697{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-1300-00000000FC01}684C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018024Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:34.697{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-1300-00000000FC01}684C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018023Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:34.697{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-1300-00000000FC01}684C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000033843Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:35.995{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B7CD1CD498A7C741A8BE28793D2D48D,SHA256=807AA0A185E61048ADA765BF59C917B6602AE16628A4CA7A55F3EF671B45BD66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018028Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:35.744{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AD2329F49FA073A99A15DEECF41F9FB,SHA256=1C2AF6E559DC1BEA4A5C3B2CF87F743A9D9A4F2A0A4929890C3FB5E34217D456,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018027Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:34.307{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50616-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000018029Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:36.915{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE98BFD9AE10248FA55E3DD84F7FAC44,SHA256=1C70E821D48A2DB8C18E8C2C485DCF5F05038EA5950DC46304CB9765A35634FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018030Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:37.994{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F928290646C7C46E9228EB766876B006,SHA256=12C787D4D7693B0D1300B3276B9B39EA48DF1E4B8E47556E917A46444DC5989C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033845Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:35.828{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52382-false10.0.1.12-8000- 23542300x800000000000000033844Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:37.058{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E00FBF09E92CC96105CC91A9E9596F4,SHA256=6C131CC9CE1626AA23276C75712129D85063F91FB40BE28B7F4ED750F3E6898D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033846Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:38.074{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A98541A0E5F34F93197F0A29A25C015,SHA256=32E64DB95E98E0162F97E16D0600086102635D1E7B33C1C71D3AB9C53AE30C90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018031Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:39.150{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E6BAA8EDCEE75547FCCE16775F3127C,SHA256=CA5497710D83914148200EF95E3C33DA29AA6AED84DE3216F3750394F0B9E7C9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033855Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:39.480{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-0FFF-615C-D306-00000000FB01}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033854Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:39.480{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033853Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:39.480{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033852Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:39.480{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033851Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:39.480{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033850Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:39.480{6EDEAD03-FC1A-615B-0500-00000000FB01}4122304C:\Windows\system32\csrss.exe{6EDEAD03-0FFF-615C-D306-00000000FB01}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033849Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:39.480{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-0FFF-615C-D306-00000000FB01}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033848Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:39.481{6EDEAD03-0FFF-615C-D306-00000000FB01}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033847Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:39.089{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CE5F377D2B655991F359BCD50443B84,SHA256=F637477EDC0D48C64A35FF2E93D3B0680FFB23BE4D527647A6FCBC07F2BB48B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018032Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:40.224{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA27AEF68AA46EFA605C110CC353486C,SHA256=23ADCDBEFBBCD404326D53D7E05E442E063A4CD166CF7588B7679EC78DEAFFAB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033876Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:40.540{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-1000-615C-D506-00000000FB01}6892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033875Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:40.540{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033874Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:40.540{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033873Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:40.540{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033872Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:40.540{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033871Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:40.540{6EDEAD03-FC1A-615B-0500-00000000FB01}412528C:\Windows\system32\csrss.exe{6EDEAD03-1000-615C-D506-00000000FB01}6892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033870Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:40.540{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-1000-615C-D506-00000000FB01}6892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033869Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:40.541{6EDEAD03-1000-615C-D506-00000000FB01}6892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033868Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:40.493{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31A7C0984B502686C5592A6DB62E1314,SHA256=3F7896421007B5F6DB2177DED869CEF2077F4F49A054172986024EC155254864,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033867Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:40.493{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4E4CBA5AE013A304EB2AFEA7087E3690,SHA256=511793000839C9E92B217A8A55EC56FD2EE38C40C26C94576EAA1B0EEF470728,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033866Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:40.196{6EDEAD03-1000-615C-D406-00000000FB01}64925520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000033865Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:40.103{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECF7F1EE6550958FB9C79327518D0332,SHA256=ADE69129612D6FDCD7FE07A82E3FD1ECDB2AA558C8625F9A4A3210B5249C56FD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033864Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:40.025{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-1000-615C-D406-00000000FB01}6492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000033863Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:40.025{6EDEAD03-FCBF-615B-AF00-00000000FB01}416NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=77A3FAE6E3D081057742F67BE17D48F0,SHA256=B45196262D41012541FDA928C2D6D89C531ACA10A8054FE8E2047913CDE27561,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033862Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:40.025{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033861Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:40.025{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033860Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:40.025{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033859Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:40.025{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033858Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:40.025{6EDEAD03-FC1A-615B-0500-00000000FB01}412428C:\Windows\system32\csrss.exe{6EDEAD03-1000-615C-D406-00000000FB01}6492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033857Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:40.025{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-1000-615C-D406-00000000FB01}6492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033856Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:40.026{6EDEAD03-1000-615C-D406-00000000FB01}6492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000018034Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:40.163{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50617-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000018033Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:41.255{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93A42A8AADFDA9DF09C9B464A61EBC0A,SHA256=E85445E7AA736A2897A325E67038549E40EBE1A92060849DBEFFF2A319ABC56E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033879Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:39.623{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52383-false10.0.1.12-8089- 23542300x800000000000000033878Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:41.540{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31A7C0984B502686C5592A6DB62E1314,SHA256=3F7896421007B5F6DB2177DED869CEF2077F4F49A054172986024EC155254864,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033877Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:41.118{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B349557D4C443B3573BB3AD7DF271831,SHA256=C03267AE1052023AA24A88C4C1B4041FD219B3E407075B8AAB8591A8D7437792,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000018045Microsoft-Windows-Sysmon/Operationalwin-host-340-SetValue2021-10-05 08:42:42.880{49C67628-FDEB-615B-0B00-00000000FC01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000018044Microsoft-Windows-Sysmon/Operationalwin-host-340-SetValue2021-10-05 08:42:42.880{49C67628-FDEB-615B-0B00-00000000FC01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0046b820) 13241300x800000000000000018043Microsoft-Windows-Sysmon/Operationalwin-host-340-SetValue2021-10-05 08:42:42.880{49C67628-FDEB-615B-0B00-00000000FC01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b9bc-0x9416c584) 13241300x800000000000000018042Microsoft-Windows-Sysmon/Operationalwin-host-340-SetValue2021-10-05 08:42:42.880{49C67628-FDEB-615B-0B00-00000000FC01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b9c4-0xf5db2d84) 13241300x800000000000000018041Microsoft-Windows-Sysmon/Operationalwin-host-340-SetValue2021-10-05 08:42:42.880{49C67628-FDEB-615B-0B00-00000000FC01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b9cd-0x579f9584) 13241300x800000000000000018040Microsoft-Windows-Sysmon/Operationalwin-host-340-SetValue2021-10-05 08:42:42.880{49C67628-FDEB-615B-0B00-00000000FC01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000018039Microsoft-Windows-Sysmon/Operationalwin-host-340-SetValue2021-10-05 08:42:42.880{49C67628-FDEB-615B-0B00-00000000FC01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0046b820) 13241300x800000000000000018038Microsoft-Windows-Sysmon/Operationalwin-host-340-SetValue2021-10-05 08:42:42.880{49C67628-FDEB-615B-0B00-00000000FC01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b9bc-0x9416c584) 13241300x800000000000000018037Microsoft-Windows-Sysmon/Operationalwin-host-340-SetValue2021-10-05 08:42:42.880{49C67628-FDEB-615B-0B00-00000000FC01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b9c4-0xf5db2d84) 13241300x800000000000000018036Microsoft-Windows-Sysmon/Operationalwin-host-340-SetValue2021-10-05 08:42:42.880{49C67628-FDEB-615B-0B00-00000000FC01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b9cd-0x579f9584) 23542300x800000000000000018035Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:42.474{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA5E7BF43F999218BC35CED0781A49BE,SHA256=2256A62646C70744A2AE3D12042471DB62F2A0AB898D63DE5636F8858E69F1FB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033889Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:42.634{6EDEAD03-1002-615C-D606-00000000FB01}71363468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033888Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:42.478{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-1002-615C-D606-00000000FB01}7136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033887Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:42.478{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033886Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:42.478{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033885Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:42.478{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033884Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:42.478{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033883Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:42.478{6EDEAD03-FC1A-615B-0500-00000000FB01}412428C:\Windows\system32\csrss.exe{6EDEAD03-1002-615C-D606-00000000FB01}7136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033882Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:42.478{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-1002-615C-D606-00000000FB01}7136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033881Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:42.478{6EDEAD03-1002-615C-D606-00000000FB01}7136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033880Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:42.134{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B67F752658E4A39DC5460B07CD2652C8,SHA256=3D2A7494336300977486712DFC2620F4AF5E6F6A784B9CCE0123F65BE2B94B04,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018059Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:43.880{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-1003-615C-F302-00000000FC01}1336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018058Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:43.880{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018057Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:43.880{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018056Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:43.880{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018055Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:43.880{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018054Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:43.880{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018053Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:43.880{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018052Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:43.880{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018051Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:43.880{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018050Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:43.880{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018049Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:43.880{49C67628-FDEB-615B-0500-00000000FC01}416432C:\Windows\system32\csrss.exe{49C67628-1003-615C-F302-00000000FC01}1336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018048Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:43.880{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-1003-615C-F302-00000000FC01}1336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000018047Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:43.882{49C67628-1003-615C-F302-00000000FC01}1336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018046Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:43.708{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3C3FE0658DBA065B720D454F39149EE,SHA256=4206EE9C76A382CE83A38BBD339A0BD1B697A0F59CE3872BAFE066EF7212F3A6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033909Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:43.993{6EDEAD03-1003-615C-D806-00000000FB01}41441312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033908Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:43.821{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-1003-615C-D806-00000000FB01}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033907Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:43.821{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033906Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:43.821{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033905Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:43.821{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033904Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:43.821{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033903Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:43.821{6EDEAD03-FC1A-615B-0500-00000000FB01}412528C:\Windows\system32\csrss.exe{6EDEAD03-1003-615C-D806-00000000FB01}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033902Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:43.821{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-1003-615C-D806-00000000FB01}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033901Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:43.822{6EDEAD03-1003-615C-D806-00000000FB01}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033900Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:43.478{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1149AA97ADD392BD33CB0DE56313D3B4,SHA256=D7920245E2C4B5096B270AC8010CCF13846CDC354E272A360526AA701AAFEA73,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033899Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:43.306{6EDEAD03-1003-615C-D706-00000000FB01}49485776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033898Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:43.149{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-1003-615C-D706-00000000FB01}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033897Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:43.149{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033896Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:43.149{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033895Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:43.149{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033894Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:43.149{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033893Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:43.149{6EDEAD03-FC1A-615B-0500-00000000FB01}412528C:\Windows\system32\csrss.exe{6EDEAD03-1003-615C-D706-00000000FB01}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033892Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:43.149{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-1003-615C-D706-00000000FB01}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033891Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:43.150{6EDEAD03-1003-615C-D706-00000000FB01}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033890Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:43.134{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AC6F030D3DA87EB2FDC4F012167732A,SHA256=170AC670F972B942AE5707FEFC8290B720DE19D2ED678F3950ADB1E2991C8042,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033920Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:41.810{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52384-false10.0.1.12-8000- 23542300x800000000000000033919Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:44.853{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=51D24ED5361C8ECC4C57F41E233830A3,SHA256=0D5D1A6A2C5A77EDEA68AA34EED282D1CF9735A5F1C410D260C10D0C04BFD698,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033918Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:44.493{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-1004-615C-D906-00000000FB01}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033917Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:44.493{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033916Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:44.493{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033915Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:44.493{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033914Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:44.493{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033913Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:44.493{6EDEAD03-FC1A-615B-0500-00000000FB01}4122304C:\Windows\system32\csrss.exe{6EDEAD03-1004-615C-D906-00000000FB01}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033912Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:44.493{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-1004-615C-D906-00000000FB01}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033911Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:44.494{6EDEAD03-1004-615C-D906-00000000FB01}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033910Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:44.149{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=190F891F02B52F8DD6BBE7DBD38D25CA,SHA256=BC78A54DBDBF38D9906CE3B169C1AEBCA68BD8DA80D3A6F443B47CDD5932FC1D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018073Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:44.552{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-1004-615C-F402-00000000FC01}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018072Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:44.552{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018071Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:44.552{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018070Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:44.552{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018069Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:44.552{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018068Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:44.552{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018067Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:44.552{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018066Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:44.552{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018065Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:44.552{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018064Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:44.552{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018063Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:44.552{49C67628-FDEB-615B-0500-00000000FC01}416432C:\Windows\system32\csrss.exe{49C67628-1004-615C-F402-00000000FC01}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018062Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:44.552{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-1004-615C-F402-00000000FC01}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000018061Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:44.553{49C67628-1004-615C-F402-00000000FC01}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018060Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:44.068{49C67628-1003-615C-F302-00000000FC01}13363712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000033921Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:45.181{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA566D62262D92D414EE57A301BDF8CD,SHA256=9BBBD2C7E362B53562858042E6242AA9A353706728D08D19CE30AEEDEA946973,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018089Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:45.224{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-1005-615C-F502-00000000FC01}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018088Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:45.224{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018087Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:45.224{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018086Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:45.224{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018085Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:45.224{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018084Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:45.224{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018083Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:45.224{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018082Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:45.224{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018081Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:45.224{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018080Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:45.224{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018079Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:45.224{49C67628-FDEB-615B-0500-00000000FC01}416432C:\Windows\system32\csrss.exe{49C67628-1005-615C-F502-00000000FC01}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018078Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:45.224{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-1005-615C-F502-00000000FC01}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000018077Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:45.225{49C67628-1005-615C-F502-00000000FC01}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018076Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:45.005{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2C163F4CEEC9561CACB0C2D7F3397B09,SHA256=488C216C0D135A0C24A18A86FCC340A00D8529A863FDB337163BBCA570A107AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018075Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:45.005{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=832B24450792710D8ED3AE07B088FE18,SHA256=C6FBB9159A37624210EDB4C4F36102FED2BFABF8F9EB692238B533DBFBE68850,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018074Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:45.005{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC1A2C67112ABC4B5354478B2EB6AFA4,SHA256=A611370643642C9B0E72E0682654B6C29B27A4EEBA3C8EAEF1AF719EEE7C57DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033922Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:46.196{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=838D465F17D29B7C0F9CD6DE2E000C41,SHA256=DFE04516E8392D614F774704817BB6A8E89869703F1A2AC5230EDA39CDDCF5B4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018105Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:46.271{49C67628-1006-615C-F602-00000000FC01}25283796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018104Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:46.255{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2C163F4CEEC9561CACB0C2D7F3397B09,SHA256=488C216C0D135A0C24A18A86FCC340A00D8529A863FDB337163BBCA570A107AB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018103Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:46.146{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-1006-615C-F602-00000000FC01}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018102Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:46.146{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018101Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:46.146{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018100Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:46.146{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018099Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:46.146{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018098Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:46.146{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018097Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:46.146{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018096Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:46.146{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018095Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:46.146{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018094Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:46.146{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018093Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:46.146{49C67628-FDEB-615B-0500-00000000FC01}416432C:\Windows\system32\csrss.exe{49C67628-1006-615C-F602-00000000FC01}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018092Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:46.146{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-1006-615C-F602-00000000FC01}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000018091Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:46.147{49C67628-1006-615C-F602-00000000FC01}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018090Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:46.021{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B10FF4C27885F95089B5CB1CAB2ABD9,SHA256=6762D6E811890D4974CA9F417C417C8B4E202F667CDF3CB1D24A50A55247C3F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033923Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:47.228{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA2FE23CAACBB2280F6246798E6B1499,SHA256=14AA36797BEDDE7FB8727CA7A4D247AB2B19C5BCC7CEBEEA1E9AA8A16E38CCA0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018119Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:47.990{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-1007-615C-F702-00000000FC01}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018118Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:47.990{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018117Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:47.990{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018116Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:47.990{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018115Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:47.990{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018114Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:47.990{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018113Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:47.990{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018112Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:47.990{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018111Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:47.990{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018110Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:47.990{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018109Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:47.990{49C67628-FDEB-615B-0500-00000000FC01}416532C:\Windows\system32\csrss.exe{49C67628-1007-615C-F702-00000000FC01}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018108Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:47.990{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-1007-615C-F702-00000000FC01}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000018107Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:47.990{49C67628-1007-615C-F702-00000000FC01}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018106Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:47.255{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDD01898512654AF60049B4FF8B6A7D1,SHA256=21E459E9FBC909B4C3FBFDE1D19FBF58B856C8B9568A50D125344F536D78DFF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018138Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:48.990{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7056E0958E37C05722E942C44C3A8A3D,SHA256=A0298A5DC227CB5DA44A1E3BD598399D4987D997CAD85F08D87C20EBBC5674FC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018137Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:48.661{49C67628-1008-615C-F802-00000000FC01}33282984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018136Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:48.490{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-1008-615C-F802-00000000FC01}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018135Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:48.490{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018134Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:48.490{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018133Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:48.490{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018132Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:48.490{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018131Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:48.490{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018130Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:48.490{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018129Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:48.490{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018128Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:48.490{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018127Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:48.490{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018126Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:48.490{49C67628-FDEB-615B-0500-00000000FC01}4161032C:\Windows\system32\csrss.exe{49C67628-1008-615C-F802-00000000FC01}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018125Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:48.490{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-1008-615C-F802-00000000FC01}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000018124Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:48.490{49C67628-1008-615C-F802-00000000FC01}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018123Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:48.319{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4960157C263B560D78724C452E131A46,SHA256=BDE42DE538505C5B196FC820D36153C7E95C87905A183E31B9FD9106F104B90B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018122Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:48.302{49C67628-FE68-615B-9F00-00000000FC01}1772NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=77A3FAE6E3D081057742F67BE17D48F0,SHA256=B45196262D41012541FDA928C2D6D89C531ACA10A8054FE8E2047913CDE27561,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033924Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:48.228{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEC960B499AB63773EFD806EDE387044,SHA256=9DE51EF9265C6318B5439585B8A3E39F04B1E3F47490094E86C04A98F2AAF55B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018121Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:48.286{49C67628-1007-615C-F702-00000000FC01}2012436C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000018120Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:46.147{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50618-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000018152Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:49.318{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D6D3EDCC1F25180B9F94092D36877FF,SHA256=70D41815DB9B8688F870F2598E18540BBE25163A0ED07A8720927197D05D8046,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033927Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:49.853{6EDEAD03-FC1D-615B-0D00-00000000FB01}9082228C:\Windows\system32\svchost.exe{6EDEAD03-FC1D-615B-1600-00000000FB01}1288C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000033926Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:49.244{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9BE0CC2E8D9FE4602BF39F1C27167D7,SHA256=D85ED1FEEE32BF2EFF1FAC2B964A0C58F105891494DD4962789F63C48CC3D2D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018151Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:49.161{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-1009-615C-F902-00000000FC01}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018150Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:49.161{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018149Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:49.161{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018148Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:49.161{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018147Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:49.161{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018146Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:49.161{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018145Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:49.161{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018144Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:49.161{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018143Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:49.161{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018142Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:49.161{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018141Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:49.161{49C67628-FDEB-615B-0500-00000000FC01}416532C:\Windows\system32\csrss.exe{49C67628-1009-615C-F902-00000000FC01}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018140Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:49.161{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-1009-615C-F902-00000000FC01}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000018139Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:49.162{49C67628-1009-615C-F902-00000000FC01}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000033925Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:46.857{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52385-false10.0.1.12-8000- 23542300x800000000000000018155Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:50.380{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1135C259B8076376C7061F1062AD6C2,SHA256=D88CA48264B2A11C4C1142FDCA7DB7FC5488933A919328CD296795077F24D3B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033929Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:50.837{6EDEAD03-FC1D-615B-1200-00000000FB01}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=67885017A9E399E25645C536DC3E243A,SHA256=FDC2C14B99C8FD89EA2521893E0BF33E65979210EF1329676C107455980876F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033928Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:50.259{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDCFD3F251E7E452E6AE23DEC5573DE7,SHA256=5643FE6A939E829C62F458ED6E3DADAB3C08387555D3A5B65384A218EA0D6B47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018154Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:50.208{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=20EF7D41D98AC59131FA451C4EA73D25,SHA256=0987553DAC374B368C0902BACFCF21F37D90352446C652214B99E9C7FDADBDE6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018153Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:48.350{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50619-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000018156Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:51.599{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09A644AF87C9B23DEACC32A74896B204,SHA256=8AF5C2DF6F30FAB4C805234AC42D762702D4BFEA1BC73713436D29D740CC2E2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033930Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:51.274{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B142B056173B900B8D3D149F8529F2F2,SHA256=79154FA8D35A1FACA5DF0399A4B7EE7096D1CF1BE63C5418792A45F72207E43C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018157Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:52.833{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68687CD6A7E15012BB8A41DF199951B7,SHA256=18A8A45F903ECE142B7060D716C0DE01773E1CEF4FD78E0FC53F4F3C7E83B0BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033931Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:52.274{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9241950D3BBC15A82F106B2BD34FB0C2,SHA256=F785E157C2E3F846A9753C9E2FC3E5B9B641B7EDC7678A7A0EC0C99ED5320287,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018158Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:53.911{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E03A38B4C2E4B9727102E16F8AB1EA3A,SHA256=057A7B90AC498D1FDA17BADAB473B2769C08D29EC22FB578127816EDB882EE80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033932Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:53.353{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57EF8A699BB3CC0500A950BE4FA7FB23,SHA256=94534DBCFE6C662700AB9BB4ACAA289F9112FBA58D8979306A62D67334EE0E5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018160Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:54.927{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A57D3CAF206B41682DB8569D5E55B51E,SHA256=AB65AD22A7C08D475D11A79D773DD6EC945D30C2D3A7AE16A32D990E7EF5F743,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033933Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:54.446{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2C257E4654E19880369054AC143243C,SHA256=7DD8B20EB53809856460EA811FA13E6813C1F99CDD637300AC5BADA5C7D6D7D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018159Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:52.194{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50620-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033935Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:55.556{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=020B358B4D4948B948A7F35C6D9BF797,SHA256=8E0C78DDF843F713A66D5AF4254D651FCD19BF88CDC7A4B220D0E5210316EC8E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033934Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:52.763{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52386-false10.0.1.12-8000- 23542300x800000000000000033936Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:56.774{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6D9EAFD5E3642C9FE6DDC9FA2A6D577,SHA256=72C7734CCE9509A686C78E6C220E6215DEEABDA18A4579D76ACD49EEB401653D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018161Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:56.021{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AA28EA6619899C931490E21027E2561,SHA256=2D489668B9223DD2255A270D9122F5F389EB7E1EBF991E949699AA7511FA8902,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033937Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:57.853{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7073977A15B690B7427DCF09B8B5425C,SHA256=DF465FE99B0DA691816C0FCEE8C0F930C3F833570822A691533D4A7013859A27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018162Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:57.161{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32CCB07A4AE45C340AB994AE68E43AA2,SHA256=D4A200D68AAC65951077B35725921A72167248817294A821E0D88A7EEA7DD4A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033938Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:58.868{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F49DD779C962A3642142ED8872ABD6AB,SHA256=2A4C276EC5591246ED6FAAAFD48F76789F70B4DD84388C6EB0AABC3F1A348C59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018163Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:58.302{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3375B8EEFF86DAB022F9B83A8337FC89,SHA256=B20D6C65368785A794647CE9ED69F57D4F24F0B57CD43FC73891D8E10E0A3534,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033939Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:59.868{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40923910635CAA44349358D3FAEC9521,SHA256=7174BC8214B2702F7F7A29D78047B928BE037D7E1A6903BC3DD67A49805AE415,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018165Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:59.302{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA5D7475008D33B6A4CF09C5E07469F1,SHA256=549682043499ABCADF7F4279232CEBF0D34D88F96B1E15C98706EDBAA422928F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018164Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:42:57.241{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50621-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033941Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:00.945{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E39369651791D4DCBB560704BFBD9B94,SHA256=6660DE433AEA91EF13E54A46EFB392940B72AC31549B0AD208877BFC0112F7A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018166Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:00.316{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5F807D0EA8B85EEB9A71D8D51494D4A,SHA256=9413973A2B98DD8853E4B9C489A0A3B839BB12BB6C11C9DB57F366DA19A545D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033940Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:42:58.747{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52387-false10.0.1.12-8000- 23542300x800000000000000033942Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:01.961{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE32B3A3DFAE62AEDDF08396BFC8A27C,SHA256=BD941098B4EC0C2740E8942661D17CA92C6748E0C4001E666456186A510E9F30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018167Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:01.535{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7470AFA915FD2FE4C09B22E9A1A109E,SHA256=D37D0DE4B7A7BA1D119DA6C0D6A380C268FD5B1C61395F74C90CFADD363977D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033943Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:02.992{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D79ED4EED69DB7CF1907AD0105C1596B,SHA256=8D42800C1112149085D6272D8F130635F3AFECFC67B48D77A9E0ED394DFF9044,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018168Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:02.613{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3D7F5B2C53896CE9BD87215E513C307,SHA256=5AFECE9836E21F94164339EC3A1C2F370684A5493B2E037665F3CAF330D3C21A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018170Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:03.847{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8F03A25EB2AE5D9EEF3C122FCB68176,SHA256=742941CD2DB934CAD6C165B8E8CC35930B9131BE0F0CA81BF9939808EC2A5F57,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018169Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:02.302{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50622-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000018171Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:04.957{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCD5790124EA0112B240939018437FE8,SHA256=C1911C0E0EDF30ACAE0AD6B4B8C221FBC53C774315391580299A365FA14EDD16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033944Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:04.164{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=286DB406FC054CB5750C968C0963C6AF,SHA256=EE9034C35134149512453B1322BAA2CBF999A35B176E7794598BEF6A98FF0008,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033945Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:05.195{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ABA38CCE8EE0FF9F51053A8D24C309A,SHA256=E066C75C170A34B45A4E95AAEB2C7FA64F1A1EDD47FE61E7AA2CC8DBA5028EF4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033947Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:04.700{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52388-false10.0.1.12-8000- 23542300x800000000000000033946Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:06.196{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4241558A5FC38D02AB9D87D0539447CB,SHA256=7155B3484C0B84B1374F7C5680423015EFE2DB7A6641D1A9C24AACD5307D1989,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018172Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:06.175{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F65E7C57FA838B3D4A2781E358B3C26,SHA256=7E5C9FBA530DF65DE132309F4760220AE7BD8D6B8E73164D51F9C7DD1288866E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018173Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:07.410{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=530D0E47BDB9281BE177EF57D83CADD7,SHA256=FE363C4AAD4CDB327BDCF9175814603046DAA22438B5FA776BC05BC81AD9DBD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033948Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:07.196{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=669E4F49CF6B80D53A8E5EBDA4108017,SHA256=E2B1BA2B8A7544D917B3A61FF497B7A3C4B5B18EC6DF464CB7592A4E2EFA4ECC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018174Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:08.550{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB721DAEDD2928EBBF5E82C393F40EBA,SHA256=CFC5DD00D63BD6CCA7AC4D3D7C9B7E84629B46EC49C44EB948F47492FD2735D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033949Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:08.212{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1314CABF6EC877AABD173A7F170E206D,SHA256=E06787711AD65278E6D89DAD803700F36165C97950C5FC16F9A63C38B992EF75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018175Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:09.550{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD2162CAEB4E7728D06B21C5EE05CCC1,SHA256=3254B62584D21234A5BA7C7E1C057AC380F7F2AD8BB8A2E37D79D8EE4976547A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033950Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:09.227{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E231ABB1D3C02E2D7F04CD456496381C,SHA256=1E16A1C4ED28CA3F3A7F38624AE2977A0DBE10A998ABB6C617015A753ECCE2EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018177Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:10.785{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A3D45971E639EBE2E5AB32C26BA676E,SHA256=A7CAF9E49DD3A8CD4F363E1373E4AF2070538F42B5F8D11EDA2D3C3B731C66B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033952Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:10.839{6EDEAD03-FC2A-615B-3000-00000000FB01}2280NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00ade5b11017bd16f\channels\health\respondent-20211005071805-082MD5=AA6F78CCC35FD74424B933C975A9F779,SHA256=482DFC86E7C4A11E76E3E352EB64B396C84C083D9F57F37823883232EC55A225,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033951Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:10.227{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4637E8A1F86A0585F8C12F968FC71D0C,SHA256=9CA7F48EA31F2DD53524BC907138D5F16443B4BB444A56F023CA0999C2BD0B61,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018176Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:08.224{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50623-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033954Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:11.852{6EDEAD03-FC2A-615B-3000-00000000FB01}2280NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00ade5b11017bd16f\channels\health\surveyor-20211005071802-083MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033953Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:11.243{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEF6DF1C1F2373DA6C6E2A7681D9B07E,SHA256=96D18897CF44703E779542E7D5CF18797F9982C197C4F55087E1FBFCDCD42061,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033956Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:10.654{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52389-false10.0.1.12-8000- 23542300x800000000000000033955Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:12.257{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4AC3BE02B183B79BDB4B3507E5F2706,SHA256=9D38862917FDBF30CF031D01AE13448FCE4A8EEA4D8EF06081F4F8A33FCE6087,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018178Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:12.004{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CB4F51957C68EC2FB0CFE07B90A8603,SHA256=EA896AEC05FEFDF622EF9593EA4422100438AA65FC621598BCEA4039E3386BE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033957Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:13.260{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C2283ECA9B940C24E533CDF672C4B8D,SHA256=D9166B97E5ACF50AF7ED5C2EE1DEB4824D12B47B226C7FA5D39B28158B624B4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018179Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:13.222{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BCB0C0674CB9FD77070FEF5E8509BCC,SHA256=CFDFCE26BC0B78967A1A780E9148D8C473FC858D09C6D234004127BA47B3DDC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033958Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:14.260{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DA8CCD4D0A079A55780AB2E2A14BDEF,SHA256=1323DDEE2431722FD86F36A3EA3040EFC7D24A925CD9E445408148980C54C38A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018180Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:14.222{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D0131DD9ECF3B4CCA45E1674EAAD3DA,SHA256=532F0731E4474432BE991A1056F8B2F37579D35BCF833F0D51E3E84527E5271B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033959Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:15.353{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB78978EC1782BF5A6C99140A8F12FFF,SHA256=7B75965548084E4270D2CDBB4641579E27FA31DB29B57D35EDF138F3EF1A126F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018182Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:14.255{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50624-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000018181Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:15.410{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CCEEE55B9EC5D2DF3977F68B884AC4E,SHA256=67E92084FB0BE1A657FDB237FF539D3D69EBAF087377DA35AA69EA9C1BA85C0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018183Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:16.441{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E244183EECB1C06357D8CEF0B10242ED,SHA256=C98E71139735EBE977D6D33CCA7AE7565380D5931296A046932352A0264139A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033960Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:16.353{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61B4C1D84ED1E10696FDB66B045E9D9B,SHA256=2E5AB2DF6928442715807B7347859E5DE60739346C95AAD674E2F74DCF0C6EF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018184Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:17.457{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17C3140B76672B5716FCB5FFC2A89CF1,SHA256=729753A774484A6B40722141D5183429FAB479C3F88474568D84D5597A30667B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033961Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:17.369{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFE9BD8EBE3627108246BC6F77E2BFF0,SHA256=6A3574DABD0A107C78C0DA64ED8090F36F273A12B3C4EFC3EA092614781DC5B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018185Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:18.675{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B1F4F86216155D76F7A4E5C9AC76456,SHA256=F9A7E2D79253069494F76E5962B00D33CE6C6C2DB71A12CF85271DC09933F386,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033967Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:16.452{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local52391-true0:0:0:0:0:0:0:1win-dc-676.attackrange.local389ldap 354300x800000000000000033966Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:16.452{6EDEAD03-FC2A-615B-2900-00000000FB01}2912C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local52391-true0:0:0:0:0:0:0:1win-dc-676.attackrange.local389ldap 354300x800000000000000033965Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:15.842{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52390-false10.0.1.12-8000- 23542300x800000000000000033964Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:18.385{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33F5E8F4AC7DA7AE015A990B4D10619D,SHA256=FA4A02ABB2A83AE5DA1D99E41507A174CA7B9527070E04BC2CBA17C441DBCA62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033963Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:18.057{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6542FF6E8B838283DF9868E786301E68,SHA256=2EA9EC9E2D442B727A38437AAC06CFB7A70603CB0C09362BDC8716E888D0FD26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033962Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:18.057{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE794886F0B9FBBA369A0A55BF4D71A9,SHA256=8AE05AC990FA03260DB643B6D8A908E16EDC07C7823F1AF2610BBF687D6B01C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018186Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:19.910{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12F4CFF6E92EBA156866D030C90FB57E,SHA256=DD27CA24FE6A9684ACE035E43594C6AD1CB6D62486053BDD50EBFA555B0DC669,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033968Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:19.385{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B1E341488A4F2480777F0C8548BF3A7,SHA256=9C9131F68AF19618C499EAC882C5EFE2F5DBD4E49CB7CD53D8DEE704A7BD94F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018187Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:20.961{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=642F594F6CFBDB2DBC3A97D266AB8AFF,SHA256=CE2C8B152ACEC32455504BC10313664BDEE8C8A6C77D93F018D3687A4FBD46CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033969Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:20.387{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CE4F4755C0FF27B4BAF1DF8CEBC1F13,SHA256=042760D80797534E898F4D3323F0762350C98E9DA0D3DB1B5DF8CBC30123A57D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033973Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:21.465{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC1D-615B-1500-00000000FB01}1240C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033972Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:21.465{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC1D-615B-1500-00000000FB01}1240C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033971Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:21.465{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC1D-615B-1500-00000000FB01}1240C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000033970Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:21.387{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F01F8F68E9798F027F01675CEE28123,SHA256=DB6EE2C2AFA76F1F8A629FCF795D6A83296C9A584F1A48E0768F3E10B9B9D921,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033974Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:22.402{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1D9BAE7A0F0E92729B8EE9EA5A53316,SHA256=06B1A4C99E0A1365CF955D5997B0D167E60F2A42DE44B3A44BED73C2034E0314,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018188Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:22.164{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=276C94906CB3DFD6E88C7480C3A0FB26,SHA256=831861462C33A076624E140552F1DF0BE47DDA14D11990431C8EA04E501B10E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033976Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:21.813{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52392-false10.0.1.12-8000- 23542300x800000000000000033975Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:23.402{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FAD11147B3CA713A928B0C872D3E64B,SHA256=67D0AB0A0647C3FD92CDFA7219B333B9EEDDD8B50F8375ADB69F4B8A687BB194,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018190Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:23.164{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9118F59FB4709B1A63C0FC059CAC4A5E,SHA256=893BCAC1E6E05998DC4F6A4703769F53B77EA1F44DE9DC50825AB64F66EC2C34,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018189Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:20.275{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50625-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033977Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:24.418{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A951A8822C643112F468D64EF6AD755,SHA256=250465516C9CF16E292149D698B0B210574C7976DD847D2958DEEDC7F9FF1F24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018191Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:24.399{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D587116CAC608793EC21E6015E31BB23,SHA256=EA22F4759C13FBE814F9E42019BF8AB1074D2DFA0166CD575608648513605FFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018192Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:25.539{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=036F2CB9EDA100038527D030A6950263,SHA256=5C3B4752678C6D4EB27DB08768D9ABA1ABF324A16E9E67A892945701F6555CCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033981Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:25.637{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFC3388EC89593CF015E73FA6953953C,SHA256=A43C9B982EE72803B157F760BFE7FEA496AF0DFFAF2654D63B66967BBEEB9C3C,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000033980Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 08:43:25.340{6EDEAD03-FC2A-615B-2D00-00000000FB01}1000C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\8EFF07E0-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_8EFF07E0-0000-0000-0000-100000000000.XML 13241300x800000000000000033979Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 08:43:25.340{6EDEAD03-FC2A-615B-2D00-00000000FB01}1000C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\3921F692-FD43-40E6-838A-1597F7469C61\Config SourceDWORD (0x00000001) 13241300x800000000000000033978Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 08:43:25.340{6EDEAD03-FC2A-615B-2D00-00000000FB01}1000C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\3921F692-FD43-40E6-838A-1597F7469C61\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_3921F692-FD43-40E6-838A-1597F7469C61.XML 23542300x800000000000000018193Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:26.539{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85F89966A87B0760B4A42E2E3A5182A2,SHA256=38BFE50C41FFAD0247661462DF4696E75A3C4F6C2A6790CE0BAB60515CAED978,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033984Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:26.762{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=804178C65A04C5EC02EE89379C6DBD75,SHA256=F203BB294B21A49558E1DC51F7CBCCB939BF2200C06A1DA03619DA17AD1C8076,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033983Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:26.433{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6CF3CF0C109E7522F8F125ADCC1FC44E,SHA256=1458E2C3DC64856E04FE052F693F05618FE803394362698EDBA451DCEDAF0DA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033982Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:26.433{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6542FF6E8B838283DF9868E786301E68,SHA256=2EA9EC9E2D442B727A38437AAC06CFB7A70603CB0C09362BDC8716E888D0FD26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018195Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:27.774{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45DEE804488261A5B2231B5764B38DEE,SHA256=1434FE603CAB1F7DED16FF0E42EA388625B6334FCED00FDFA8B60A72156D1CFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033991Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:27.762{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D60CE2A0E4C308FD013DAA69981427D3,SHA256=A2F6DE7EBA3D45FB7DA460ED9A31A04AFF53884D021E9BE7D914743F1D8239B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018194Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:25.307{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50626-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000033990Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:24.966{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local52395-truefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local389ldap 354300x800000000000000033989Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:24.966{6EDEAD03-FC2A-615B-2D00-00000000FB01}1000C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local52395-truefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local389ldap 354300x800000000000000033988Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:24.953{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local52394-truefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local389ldap 354300x800000000000000033987Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:24.953{6EDEAD03-FC2A-615B-2D00-00000000FB01}1000C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local52394-truefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local389ldap 354300x800000000000000033986Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:24.939{6EDEAD03-FC1D-615B-0D00-00000000FB01}908C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local52393-truefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local135epmap 354300x800000000000000033985Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:24.939{6EDEAD03-FC2A-615B-2D00-00000000FB01}1000C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local52393-truefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local135epmap 23542300x800000000000000018196Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:28.774{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEC58EC9EC7EF5D24917BA71C7321B9A,SHA256=2357C94360214A413309A6162DAEF497F986375126D609E29BDA748CEC11D686,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033992Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:28.777{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=577992EFB2294A1E37BC0423F36824D7,SHA256=0D313D3670F07C231AFE01E764B09668255C45F9511E68E4FB284A31A15A4522,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033994Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:29.777{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=303943936E46B2263BF75392161EE15E,SHA256=2225F5173899FB7B5433EA2FDAA9E5BF3D8CFED51B1A1B65D26F4F6D5B768750,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018197Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:29.450{49C67628-FDEC-615B-1F00-00000000FC01}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04b3958ebc31dc11b\channels\health\respondent-20211005072534-075MD5=9DBD3CF651CAD1963D7DD9E70795396E,SHA256=D00FE5240C0E39CC33FD8ADFFDA13197E8833401D0A3D05F731F6A79B8E00229,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033993Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:26.845{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52396-false10.0.1.12-8000- 23542300x800000000000000033995Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:30.793{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CABE8AF71403EC86F31B571763DADEFA,SHA256=504C283113741DD04A347972D64E437566BA7A0F081B8D3C3AF6624C1A41FF57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018199Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:30.456{49C67628-FDEC-615B-1F00-00000000FC01}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04b3958ebc31dc11b\channels\health\surveyor-20211005072532-076MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018198Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:30.002{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AAAB9815CA0170FA1CFF56429B412A4,SHA256=5E4B7540E92C3445615B60C62D8EFF36DFBBD2501EE466DCC3593FAC905F4D92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033996Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:31.824{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80F05F14F71784F4B5ABCC39E63A3A8B,SHA256=7FF25F0598E8325E0B1B60CD0B3317B18DAE66D73B632C97AB24F4B66B0B0164,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018200Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:31.237{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10FE3497529C49972F544754C4423600,SHA256=A32AE15A9A8C6AC640CC95B51D0EB6E4B2942222F9D2672C80B4634F96D7774E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018202Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:32.596{49C67628-FDEB-615B-1100-00000000FC01}964NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=0D839939DEBAC508806959A5D867AF1A,SHA256=00CFFB5346FB90DDB2BC54C961CBAE1C261564D17A40E64E15366AE96FD97679,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018201Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:32.440{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B8B1D6397CCC4EF2A2FE9AE8E3256F4,SHA256=15D912EBB0A9263A407C382418B5294573177F9BE2A2851421F62B1F697E0318,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018204Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:33.612{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F24948A473557D06F7A4543C0D739A5B,SHA256=7E0293D6665DDEAC3B7499632C29540A26FC4F397BC83D6D1D5B99D35FBB0E49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033997Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:33.058{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=269FB78BE245210AFA9E104C2AE74651,SHA256=8478ADBF2133466BBA85845DC5A750E06EE50DB694625FCE99F50D7FEC5AD4E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018203Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:31.114{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50627-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000018205Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:34.612{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A274DE73560EBCE8445A61D0A3354DF,SHA256=2F7800055B74E1CC53F1D90450887AC4A0914DF90355F21AE3F83F857BF96AC8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033999Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:32.704{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52397-false10.0.1.12-8000- 23542300x800000000000000033998Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:34.199{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5367AD9CA3B5FB923C9558106B5D386F,SHA256=FE4F04AE294458272FD0E41EB645537099EFB60D1D2ACA91018817F3E239212B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018206Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:35.628{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDED0F5B330CDE192553C59699AC804A,SHA256=88B8AAEE24DFA8321CAA30BEE277FFA8DEF88EEA1F452C384471DAB92FB595A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034000Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:35.418{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11F0EE0E7B853DDAC3A82B11B180088A,SHA256=3EA1905A774346407E7BB645CBF0F3D9A9ABC6E5DF32DE7F8325BCACA7DBDF13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018207Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:36.643{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1AB08AC06FB2D5EA9043A26CF8F2AD7,SHA256=928645453A365FE84C65CF576165CD850CCC50FBF2399A13B6ED4DD6A6BC6AA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034001Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:36.433{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B7E1296664B2D3445A4C8F7A917C775,SHA256=6F802154983EAA1E67F396ADE4B34C1DE74CB619AFEE28D5C8164FCD7725636E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018208Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:37.643{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4CED5921B83750515F8EDB0199379CF,SHA256=93D6A8EC6A11D04D44690251917ED3C7742CF2680897F4B66B42BC58493C7D17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034002Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:37.480{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6F415382CDDD7DBBF69C2FB55C879C4,SHA256=2262F1E277F17DDAE88BE73E57B4AF9811F06F25F37C779BE61E94379DCA6932,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018210Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:38.800{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF6620EECE1684C1084548A9B8325B92,SHA256=C9B1F6EC02A13BD2716D0D9C188E95A86ED079E6E7AC914BF20DB75EAD5413FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034003Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:38.480{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF8DFA5B90508CFA3FB3751B8BE51D51,SHA256=43E4439D4E810A2F8A88608821F63604DF4CA1637E6296151822A8E143B1C065,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018209Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:36.145{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50628-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000018211Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:39.951{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5006F614F9CE5D80E2B6F6E6F6901CA,SHA256=C9C03EEF7282CE46E9C2621C8F27037A5291B4FA171872AA3369FAF414A75F25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034012Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:39.527{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB1FE72B0DA735751CD48A1AC9EF73F1,SHA256=B0BDEEB517C7F07FF52966085054B8261E93E2AAB5FB3027A8DF56E198239B67,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034011Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:39.480{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-103B-615C-DA06-00000000FB01}6072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034010Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:39.480{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034009Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:39.480{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034008Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:39.480{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034007Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:39.480{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034006Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:39.480{6EDEAD03-FC1A-615B-0500-00000000FB01}4122304C:\Windows\system32\csrss.exe{6EDEAD03-103B-615C-DA06-00000000FB01}6072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000034005Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:39.480{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-103B-615C-DA06-00000000FB01}6072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000034004Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:39.481{6EDEAD03-103B-615C-DA06-00000000FB01}6072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018212Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:40.966{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3440939D92FE88121438C175E0582463,SHA256=767779D4D54258EE099D1070EB746EDDA647F0C5014370BE90FB5FA85A090A40,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034034Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:37.844{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52398-false10.0.1.12-8000- 10341000x800000000000000034033Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:40.688{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-103C-615C-DC06-00000000FB01}2420C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034032Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:40.688{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034031Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:40.688{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034030Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:40.688{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034029Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:40.688{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034028Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:40.688{6EDEAD03-FC1A-615B-0500-00000000FB01}412428C:\Windows\system32\csrss.exe{6EDEAD03-103C-615C-DC06-00000000FB01}2420C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000034027Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:40.688{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-103C-615C-DC06-00000000FB01}2420C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000034026Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:40.690{6EDEAD03-103C-615C-DC06-00000000FB01}2420C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034025Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:40.532{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C219222EDAF7B4919EB6ADD71BF4EA7,SHA256=9C6FDD663BFCEBC97A175844322861A00825F421686DB7E98556F78DADD3BBDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034024Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:40.485{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED3018695B46EF8A81F1EDE186C7A796,SHA256=C1073E03D01ED40D0F4FADE1C8B12BC3EA24EB853571535C86378B687A516E62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034023Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:40.485{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6CF3CF0C109E7522F8F125ADCC1FC44E,SHA256=1458E2C3DC64856E04FE052F693F05618FE803394362698EDBA451DCEDAF0DA1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034022Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:40.329{6EDEAD03-103C-615C-DB06-00000000FB01}64966928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034021Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:40.157{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-103C-615C-DB06-00000000FB01}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034020Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:40.157{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034019Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:40.157{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034018Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:40.157{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034017Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:40.157{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034016Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:40.157{6EDEAD03-FC1A-615B-0500-00000000FB01}412428C:\Windows\system32\csrss.exe{6EDEAD03-103C-615C-DB06-00000000FB01}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000034015Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:40.157{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-103C-615C-DB06-00000000FB01}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000034014Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:40.158{6EDEAD03-103C-615C-DB06-00000000FB01}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034013Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:40.048{6EDEAD03-FCBF-615B-AF00-00000000FB01}416NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=77A3FAE6E3D081057742F67BE17D48F0,SHA256=B45196262D41012541FDA928C2D6D89C531ACA10A8054FE8E2047913CDE27561,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034037Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:39.631{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52399-false10.0.1.12-8089- 23542300x800000000000000034036Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:41.766{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED3018695B46EF8A81F1EDE186C7A796,SHA256=C1073E03D01ED40D0F4FADE1C8B12BC3EA24EB853571535C86378B687A516E62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034035Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:41.532{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F361C7788221A8168C1B57A1CF1B9FF8,SHA256=3763135A907A099485FB5DC21819B2138F8B7115782E0C933F5C98CB86D3B147,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034047Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:42.766{6EDEAD03-103E-615C-DD06-00000000FB01}7846836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000034046Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:42.579{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8FAB9B13015421E5F8B1F721EAE1D1C,SHA256=CB05661C847B04898886DD0B7E7E6627FDDD1BB8B186A85B020E3C89F796057D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018214Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:41.234{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50629-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000018213Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:42.185{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4CD5B6915DC7E494FCD4410D58A516B,SHA256=7B61D567D3A68D3751893AD5B17271A16178F26BE02B096D78E1035E1861C606,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034045Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:42.485{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-103E-615C-DD06-00000000FB01}784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034044Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:42.485{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034043Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:42.485{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034042Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:42.485{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034041Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:42.485{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034040Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:42.485{6EDEAD03-FC1A-615B-0500-00000000FB01}412528C:\Windows\system32\csrss.exe{6EDEAD03-103E-615C-DD06-00000000FB01}784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000034039Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:42.485{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-103E-615C-DD06-00000000FB01}784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000034038Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:42.486{6EDEAD03-103E-615C-DD06-00000000FB01}784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000034073Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:43.891{6EDEAD03-FF62-615B-F802-00000000FB01}50525756C:\Windows\Explorer.EXE{6EDEAD03-011D-615C-0205-00000000FB01}5428C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034072Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:43.891{6EDEAD03-FF62-615B-F802-00000000FB01}50525756C:\Windows\Explorer.EXE{6EDEAD03-011D-615C-0205-00000000FB01}5428C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034071Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:43.891{6EDEAD03-FF62-615B-F802-00000000FB01}50525756C:\Windows\Explorer.EXE{6EDEAD03-011D-615C-0205-00000000FB01}5428C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034070Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:43.891{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-011D-615C-0305-00000000FB01}5740C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034069Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:43.891{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-011D-615C-0305-00000000FB01}5740C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034068Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:43.891{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-011D-615C-0305-00000000FB01}5740C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034067Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:43.891{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-011D-615C-0305-00000000FB01}5740C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000034066Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:43.641{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4FDADCBE54BBA8EA406E66F42718EFD,SHA256=B1BA7E5670A1F3DB37D6BEC07BA0209AABC5079444064249F6DE17FBE050770F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018228Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:43.888{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-103F-615C-FA02-00000000FC01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018227Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:43.888{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018226Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:43.888{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018225Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:43.888{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018224Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:43.888{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018223Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:43.888{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018222Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:43.888{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018221Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:43.888{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018220Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:43.888{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018219Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:43.888{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018218Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:43.888{49C67628-FDEB-615B-0500-00000000FC01}416432C:\Windows\system32\csrss.exe{49C67628-103F-615C-FA02-00000000FC01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018217Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:43.888{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-103F-615C-FA02-00000000FC01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000018216Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:43.889{49C67628-103F-615C-FA02-00000000FC01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018215Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:43.201{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A46F2005E13BAE210945D927EC4627C5,SHA256=FD9C0594E35486EF1FA684395B98162402E5AFBFD43123A19AA185D3E380744D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034065Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:43.626{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-103F-615C-DF06-00000000FB01}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034064Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:43.626{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034063Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:43.626{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034062Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:43.626{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034061Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:43.626{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034060Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:43.626{6EDEAD03-FC1A-615B-0500-00000000FB01}412528C:\Windows\system32\csrss.exe{6EDEAD03-103F-615C-DF06-00000000FB01}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000034059Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:43.626{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-103F-615C-DF06-00000000FB01}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000034058Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:43.627{6EDEAD03-103F-615C-DF06-00000000FB01}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034057Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:43.485{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=952939260FFE46ACEA41E371750E2FA8,SHA256=726E635B2760426452E28361121D7B92BAAE3CC5462E70149C4206F9120BF1A9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034056Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:43.173{6EDEAD03-103F-615C-DE06-00000000FB01}9886296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034055Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:43.001{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-103F-615C-DE06-00000000FB01}988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034054Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:43.001{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034053Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:43.001{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034052Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:43.001{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034051Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:43.001{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034050Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:43.001{6EDEAD03-FC1A-615B-0500-00000000FB01}412528C:\Windows\system32\csrss.exe{6EDEAD03-103F-615C-DE06-00000000FB01}988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000034049Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:43.001{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-103F-615C-DE06-00000000FB01}988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000034048Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:43.002{6EDEAD03-103F-615C-DE06-00000000FB01}988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034084Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:44.657{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C1065AD6B59C1F4278658CDF89E49D3C,SHA256=043431802152F20B12594801E436F765CC57CC5C81484C9586F2E167087E3714,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034083Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:44.641{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20B5F63A51E3C80A8B5F6C4F209D73BD,SHA256=F9C45EFFC5B95A95FEB5BD7B4E9EA21D1E0D4FE73AB4A537306716A79CE48ED0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018245Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:44.919{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4AD4FE6BE0EF47F397F546B2341EDF4B,SHA256=3451AEE594010BEAD40DF607F8007A9483F205D347991285B5F8835F2B3A65B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018244Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:44.919{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FAB0CE59F1D73D0A2E03C3F5EB7D3EF1,SHA256=A664A0530E8A66B195FB166238CAB2202FCD16F86CE2F99DADE672B167F8EA8E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018243Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:44.560{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-1040-615C-FB02-00000000FC01}2160C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018242Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:44.560{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018241Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:44.560{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018240Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:44.560{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018239Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:44.560{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018238Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:44.560{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018237Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:44.560{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018236Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:44.560{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018235Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:44.560{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018234Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:44.560{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018233Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:44.560{49C67628-FDEB-615B-0500-00000000FC01}416532C:\Windows\system32\csrss.exe{49C67628-1040-615C-FB02-00000000FC01}2160C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018232Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:44.560{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-1040-615C-FB02-00000000FC01}2160C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000018231Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:44.561{49C67628-1040-615C-FB02-00000000FC01}2160C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018230Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:44.419{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D9CE568654BD2D6444D8963AC5B210A,SHA256=30E374435A5CB366D8102F23C223DC336FBFCC9921FF1311B873D2474AB425DD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034082Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:44.454{6EDEAD03-1040-615C-E006-00000000FB01}61766192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034081Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:44.298{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-1040-615C-E006-00000000FB01}6176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034080Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:44.298{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034079Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:44.298{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034078Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:44.298{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034077Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:44.298{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034076Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:44.298{6EDEAD03-FC1A-615B-0500-00000000FB01}4122304C:\Windows\system32\csrss.exe{6EDEAD03-1040-615C-E006-00000000FB01}6176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000034075Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:44.298{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-1040-615C-E006-00000000FB01}6176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000034074Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:44.298{6EDEAD03-1040-615C-E006-00000000FB01}6176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018229Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:44.029{49C67628-103F-615C-FA02-00000000FC01}24282412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000034086Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:43.740{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52400-false10.0.1.12-8000- 23542300x800000000000000034085Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:45.657{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58D500F313F662D1BB27C6820F0A9519,SHA256=3648EB1BDAD837DA61EACB498F43367E95A13D10234E58F9B90D0697180306B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018259Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:45.622{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F05596B5AA64B8C546E0E60C05A1994C,SHA256=008BB0ABC7BEE5691EB96D8DEDFB2B4BCA602DE18D375F40794D293FB4F93475,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018258Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:45.232{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-1041-615C-FC02-00000000FC01}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018257Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:45.232{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018256Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:45.232{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018255Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:45.232{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018254Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:45.232{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018253Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:45.232{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018252Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:45.232{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018251Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:45.232{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018250Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:45.232{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018249Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:45.232{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018248Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:45.232{49C67628-FDEB-615B-0500-00000000FC01}4161032C:\Windows\system32\csrss.exe{49C67628-1041-615C-FC02-00000000FC01}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018247Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:45.232{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-1041-615C-FC02-00000000FC01}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000018246Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:45.233{49C67628-1041-615C-FC02-00000000FC01}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034087Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:46.829{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC5B3F416C265D3377985C30C7A365B2,SHA256=92BEB5E188EDE7C6C114C0D3C19BD049C195F8DAE13797E844B79891A33045F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018275Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:46.701{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BC7945DB0BE9E9A1102A28ADC96E693,SHA256=DA98E94D8C96D1E3DEE3FD002DE6A2D8B2D7524B12DD0119648A5F467088B3CB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018274Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:46.263{49C67628-1042-615C-FD02-00000000FC01}508992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018273Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:46.232{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4AD4FE6BE0EF47F397F546B2341EDF4B,SHA256=3451AEE594010BEAD40DF607F8007A9483F205D347991285B5F8835F2B3A65B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018272Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:46.138{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-1042-615C-FD02-00000000FC01}508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018271Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:46.138{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018270Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:46.138{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018269Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:46.138{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018268Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:46.138{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018267Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:46.138{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018266Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:46.138{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018265Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:46.138{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018264Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:46.138{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018263Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:46.138{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018262Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:46.138{49C67628-FDEB-615B-0500-00000000FC01}416532C:\Windows\system32\csrss.exe{49C67628-1042-615C-FD02-00000000FC01}508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018261Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:46.138{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-1042-615C-FD02-00000000FC01}508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000018260Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:46.139{49C67628-1042-615C-FD02-00000000FC01}508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034088Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:47.845{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=748D681053E10A43083C487521100869,SHA256=2E1868CDE0CC21CB8AF937406A96F4D421EDACCDCD61C3EDDEEE914E69E76E58,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018290Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:47.982{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-1043-615C-FE02-00000000FC01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018289Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:47.982{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018288Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:47.982{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018287Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:47.982{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018286Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:47.982{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018285Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:47.982{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018284Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:47.982{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018283Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:47.982{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018282Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:47.982{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018281Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:47.982{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018280Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:47.982{49C67628-FDEB-615B-0500-00000000FC01}416532C:\Windows\system32\csrss.exe{49C67628-1043-615C-FE02-00000000FC01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018279Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:47.982{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-1043-615C-FE02-00000000FC01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000018278Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:47.983{49C67628-1043-615C-FE02-00000000FC01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018277Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:47.716{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B727B80BFF5F423DDE07129E606EAAA9,SHA256=D2A2A3535840B0AD01D70F8AE2041DCFA66E02EC010EA3DD498901824A7CAB67,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018276Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:46.296{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50630-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000034089Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:48.845{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=083C8C18E74D54ED2BADD0744B8991CD,SHA256=5250DCB3CF8F01107722604ADA2A2EA215F6AD0DD564E5296B819EA93F3DF4B9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018306Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:48.794{49C67628-1044-615C-FF02-00000000FC01}38041748C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018305Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:48.654{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-1044-615C-FF02-00000000FC01}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018304Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:48.654{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018303Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:48.654{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018302Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:48.654{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018301Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:48.654{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018300Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:48.654{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018299Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:48.654{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018298Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:48.654{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018297Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:48.654{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018296Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:48.654{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018295Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:48.654{49C67628-FDEB-615B-0500-00000000FC01}4161032C:\Windows\system32\csrss.exe{49C67628-1044-615C-FF02-00000000FC01}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018294Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:48.654{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-1044-615C-FF02-00000000FC01}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000018293Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:48.654{49C67628-1044-615C-FF02-00000000FC01}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018292Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:48.326{49C67628-FE68-615B-9F00-00000000FC01}1772NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=77A3FAE6E3D081057742F67BE17D48F0,SHA256=B45196262D41012541FDA928C2D6D89C531ACA10A8054FE8E2047913CDE27561,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018291Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:48.138{49C67628-1043-615C-FE02-00000000FC01}19482392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018323Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:49.794{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6A81205CF62F0F80A4B09041F27F3F9,SHA256=5B71556F0FAAD46151F083292FAFC1151FE2424BE2F80836D36E715FB26C0944,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034097Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:49.016{6EDEAD03-011D-615C-0305-00000000FB01}57405284C:\Windows\system32\conhost.exe{6EDEAD03-1045-615C-E106-00000000FB01}6796C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034096Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:49.016{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034095Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:49.016{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034094Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:49.016{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034093Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:49.016{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034092Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:49.016{6EDEAD03-FF5F-615B-E202-00000000FB01}9724272C:\Windows\system32\csrss.exe{6EDEAD03-1045-615C-E106-00000000FB01}6796C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000034091Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:49.016{6EDEAD03-011D-615C-0205-00000000FB01}54284716C:\Windows\system32\cmd.exe{6EDEAD03-1045-615C-E106-00000000FB01}6796C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000034090Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:49.024{6EDEAD03-1045-615C-E106-00000000FB01}6796C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add HKLM\SYSTEM\CurrentControlSet\Control\MiniNtC:\Users\Administrator\ATTACKRANGE\Administrator{6EDEAD03-FF61-615B-7756-1D0000000000}0x1d56772HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{6EDEAD03-011D-615C-0205-00000000FB01}5428C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 354300x800000000000000018322Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:48.375{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50631-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 10341000x800000000000000018321Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:49.154{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-1045-615C-0003-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018320Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:49.154{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018319Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:49.154{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018318Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:49.154{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018317Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:49.154{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018316Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:49.154{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018315Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:49.154{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018314Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:49.154{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018313Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:49.154{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018312Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:49.154{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018311Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:49.154{49C67628-FDEB-615B-0500-00000000FC01}4161032C:\Windows\system32\csrss.exe{49C67628-1045-615C-0003-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018310Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:49.154{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-1045-615C-0003-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000018309Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:49.156{49C67628-1045-615C-0003-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018308Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:49.154{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBDF143736070CEFDA82F2269D1410B9,SHA256=0819E48C1895B98B738D1ED4A40DBB0FE7DC6974FA004083406CD26BA8675015,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018307Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:49.154{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7497698027CCA6DD21BA867C098F29D9,SHA256=B7E3E4BD2263BAB66FC91AEEB95E774911389D5C31AC47BA2C37BF122917CE2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018325Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:50.810{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29110597609299D5DD2E300ABD42C238,SHA256=0A2EAE97C0DEB958EEB13E1462651324992B73B6DDFDD251C49E78AE86CA7EBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034101Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:50.845{6EDEAD03-FC1D-615B-1200-00000000FB01}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=763BBF22083DA0EC21B3A2876433B2DD,SHA256=BE0BE48FF167C917891CD53BA4A3B288D0065F70AF74CEBF32EB857CD21F7F20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034100Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:50.063{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=900FDF9AB5D04F4CBA37F71DFAFF6730,SHA256=CD867D827F4A84BFB56130BCDC86FC7C953C38955A4AE1B6E3EDB78315971E32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034099Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:50.063{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8EB1B76CF792A21C899A5A71E59451A4,SHA256=365DDA74764BDDD9A3D8FE9DB791D7EB56E39C5819676887789ECDACFEB3434B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034098Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:50.063{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2DC65B41819DCD41EAACA4ACE2F7D9A2,SHA256=16DC28DC977CD71FD5E73732AD8D47260C4F0518105A4EE68F1E07222B6DB1B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018324Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:50.169{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4639C90698B270A792231D36F58200A6,SHA256=6990FE56E9FC77D1AF4CB7AA3A5E5286F140AF4BCF2B34F9B2932DB93107444D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018326Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:51.810{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3780544D6CB8EC4F7EA22CD693E252DF,SHA256=9B0AF63E2F1C1D7533E857398F2DF50DB7315C0ED90895B75B2FA54974001C4A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034103Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:49.677{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52401-false10.0.1.12-8000- 23542300x800000000000000034102Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:51.063{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44122F07C95FA304773311866C8CDF9E,SHA256=DA0096888F47DC92AD69F522E852F466D1B760F4EB4CB4F84887A80BB7A4DFFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018327Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:52.966{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC81CD7BAB30686317797433FD7829CE,SHA256=C73B9095AA32CD13510FE75E99AD532F501687D2A139DD8530CD70867352F6E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034104Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:52.110{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B192B8CDA006CC4E983B6EC238BB604,SHA256=182EF71DBE195CBB70E196DA48DFA1912801CB4E3E1FAFF903575D038B26FC0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034105Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:53.282{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D166AC8DEF5A6EB5C96B16A6476DDE97,SHA256=4FEBF35191656118C76586032FCF079B3830A821BBF0561CB21A67375A72D4F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018328Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:52.078{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50632-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000034106Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:54.313{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A894C46FF20060DBBE3E4A839A89B233,SHA256=98C425E1FDD097DE574114656307EDC5DC7F2F4E9C3D679D190C5FE2DCD2A0CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018329Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:54.201{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3116EAC94816CAD029F52EDA53D0543C,SHA256=3A9268B04A14D98D40AA05EF4D81C44B580DE27248CF7FCD6F1E5F062712DB63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034114Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:55.329{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9386D7248475B5E92EF1578DFD3B64C,SHA256=A165069B03F0CA7840759916C070DEBBD1AC4ED2728C8CE3F6116EEBED2365E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018330Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:55.435{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F85336469741ED5D48C3B2225C6F20B7,SHA256=DC92DC1FB11B8C3FC6239096F62C4663DBB860E5C3C004F0F82D1D35F002511A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034113Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:55.048{6EDEAD03-FF62-615B-F802-00000000FB01}50525756C:\Windows\Explorer.EXE{6EDEAD03-0272-615C-3205-00000000FB01}5632C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034112Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:55.048{6EDEAD03-FF62-615B-F802-00000000FB01}50525756C:\Windows\Explorer.EXE{6EDEAD03-0272-615C-3205-00000000FB01}5632C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034111Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:55.048{6EDEAD03-FF62-615B-F802-00000000FB01}50525756C:\Windows\Explorer.EXE{6EDEAD03-0272-615C-3205-00000000FB01}5632C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034110Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:55.048{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-0272-615C-3205-00000000FB01}5632C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034109Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:55.048{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-0272-615C-3205-00000000FB01}5632C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034108Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:55.048{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-0272-615C-3205-00000000FB01}5632C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034107Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:55.048{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-0272-615C-3205-00000000FB01}5632C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018331Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:56.497{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=963B9B496FEC99DC7E4661D17ADD2AB5,SHA256=1DF1E9E30D01D06BA7DD91FFBF4740EF01C10E6162067E43BAE3B0FBF155958F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034115Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:56.360{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14BCAD3D8DB9FA413B027A02524100C9,SHA256=C853A983664243E9896A5D66353D50E496ABF1C6C9D08B28D8964CE7793E6CDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018332Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:57.513{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E55844CDB1F31399D1E52AB016347B29,SHA256=AC2DBCDE5800679A2840CF58E823EBEAF66807AF951E5BE2D8D84D14C43885D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034117Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:57.360{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30D29A435AFFFAAFDAC53161CFDD13C6,SHA256=BB46DFE75ABB7FEA15896A6F22551D81353308D5B8F4519479D2A308CF527D3F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034116Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:54.677{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52402-false10.0.1.12-8000- 23542300x800000000000000018333Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:58.529{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=594E92F05252468EF103F8A6B468800A,SHA256=554883769A631C4D09915B6919B35DBD197DA57F8578610BF725C5341063414A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034119Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:58.720{6EDEAD03-0272-615C-3205-00000000FB01}5632ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\session.xmlMD5=554F0135227DC60AB2762851AA2DAF11,SHA256=7A170B84F7B38B3564ABF283937DC81FFA1C5860217D51B05F7966DF18E9E68C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034118Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:58.376{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C33B9A1642E83CC9BEB6D2F2B0A11277,SHA256=FF6B486499C9BC9B2AAD34D95EC899650E418458AC1CDD7B851E88A0621DB30B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018334Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:59.763{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13C881E67B6301E3E73B95E9FF12B977,SHA256=D7DE5387DC379044CDCC64CC166DF8575F4857DFC6AF610231247E840C3B9828,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034120Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:59.391{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4FA30634485B52FD3F950AC69A73D1A,SHA256=12B2F64DF3F35EBE6ADE935899B132E33FBF0F20F918783D6E2F9A568A32E218,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018335Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:00.853{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA96F3BD5341B2CDD409EAAA35BC00D1,SHA256=BB89685774978F6DB571B2040089D0D2F98360E67BFDF4E633D4EAB2053A6BE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034128Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:00.403{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D93375C8930E814CED5F7887EED7E55,SHA256=C56B0F37C28AE33143395F0285181D6CD70F2BDD93B87467FC4077E02C9E2544,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034127Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:00.356{6EDEAD03-FF62-615B-F802-00000000FB01}50525756C:\Windows\Explorer.EXE{6EDEAD03-011D-615C-0205-00000000FB01}5428C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034126Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:00.356{6EDEAD03-FF62-615B-F802-00000000FB01}50525756C:\Windows\Explorer.EXE{6EDEAD03-011D-615C-0205-00000000FB01}5428C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034125Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:00.356{6EDEAD03-FF62-615B-F802-00000000FB01}50525756C:\Windows\Explorer.EXE{6EDEAD03-011D-615C-0205-00000000FB01}5428C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034124Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:00.356{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-011D-615C-0305-00000000FB01}5740C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034123Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:00.340{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-011D-615C-0305-00000000FB01}5740C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034122Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:00.340{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-011D-615C-0305-00000000FB01}5740C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034121Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:00.340{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-011D-615C-0305-00000000FB01}5740C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018337Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:01.868{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F80B649E60079DAD362C5C57D7772DE,SHA256=07D1E3974F57817A86074B648516267A32EE792E4401C70EDBABCF8F9A076ECE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034129Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:01.419{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05F5F6603CF68828E55E33795717187D,SHA256=BBAAE39A657DEBA323D89C19389EDF9897EB926140A00A8B3FB2874DF150551B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018336Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:43:58.124{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50633-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000018338Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:02.884{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D3DCE9FA7BAE5B0D7EFB45C9F7B297B,SHA256=8045C9E303354C4851B9CBF964EFF8C50A2B15684ACDAAE27BCE02D4931A4B41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034131Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:02.434{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6204FEEA0BD0E24949FB21257E4F0D0E,SHA256=C126F95B6E01F9C502460FBAAB2561CDD5ED7251A13E6124166E25B9E169EC65,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034130Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:43:59.689{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52403-false10.0.1.12-8000- 23542300x800000000000000018339Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:03.962{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93B253564F1AA2F1100B2A2294AC8DFC,SHA256=9F223F9A3BF6E00B7EBF13876D3BBB36E40618DF063BD5F426B9C0EF55DF902F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034132Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:03.434{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A2FDCF9EB65B817C7A11AF98969F151,SHA256=8A3E55DDED9566BF247CAC343CF756C78CD4A337D2D6FAEB460D0D8D4250300D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018341Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:03.323{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50634-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000018340Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:04.962{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7502403091FD2BF6C73BABB72842B508,SHA256=C8F0EC9BA6A89C1325A947D5E90BBC2D5F01434ABC0BEA55A47D560D67508618,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034133Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:04.450{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61AD205974433235CA7A9209B425303B,SHA256=F4910BF45A0A261998EAA0492E1B5EC68B4F2F1351A2FE395BD1EBA50657B342,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034134Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:05.497{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1649DC7823C5EDF18C2D5F8798B6609B,SHA256=B11C49082F1B908E8A9BD091AA69387B963C23ED2D9A78A3F91E76210E844607,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034143Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:06.762{6EDEAD03-011D-615C-0305-00000000FB01}57405284C:\Windows\system32\conhost.exe{6EDEAD03-1056-615C-E206-00000000FB01}5696C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034142Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:06.747{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034141Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:06.747{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034140Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:06.747{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034139Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:06.747{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034138Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:06.747{6EDEAD03-FF5F-615B-E202-00000000FB01}9723552C:\Windows\system32\csrss.exe{6EDEAD03-1056-615C-E206-00000000FB01}5696C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000034137Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:06.747{6EDEAD03-011D-615C-0205-00000000FB01}54284716C:\Windows\system32\cmd.exe{6EDEAD03-1056-615C-E206-00000000FB01}5696C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000034136Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:06.759{6EDEAD03-1056-615C-E206-00000000FB01}5696C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete HKLM\SYSTEM\CurrentControlSet\Control\MiniNtC:\Users\Administrator\ATTACKRANGE\Administrator{6EDEAD03-FF61-615B-7756-1D0000000000}0x1d56772HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{6EDEAD03-011D-615C-0205-00000000FB01}5428C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 23542300x800000000000000034135Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:06.512{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD9C84D0B814324590BB44A035842BE7,SHA256=99B62597F5DFA639C14FA5338270994DF99E6A5E4A6980D28539164DCE660942,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018342Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:06.181{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B3A06C62B1F11B50E9C1CB0C05F58A8,SHA256=4F2EC9A44B09E7FE8EC0964552E0F1B23A0A41B960E6C1A31FDA39F4FBBDC227,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034147Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:07.856{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=25B7B8305B5770D982E3C5B15DB7000A,SHA256=0C129935CE5E448AC2A31F6E0DAB762B65E2DD1FBAEE316DF622E782170B34D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034146Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:07.856{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8EB1B76CF792A21C899A5A71E59451A4,SHA256=365DDA74764BDDD9A3D8FE9DB791D7EB56E39C5819676887789ECDACFEB3434B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034145Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:07.544{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A158B9346D7ABB9DE52639B80708CAB,SHA256=7445E502E4263E0D572589077CD0C77AC6A3B04CEF152AD697D75F1D8D5A6790,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018343Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:07.384{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FD75EC173EACCBD671EA8A1DFF8D419,SHA256=05ABB579E1F9049528645622B731E059F01F0352FA612048791988281E35F536,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034144Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:05.704{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52404-false10.0.1.12-8000- 23542300x800000000000000018344Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:08.525{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE4C0A1A8F4B1DD4ACFB8F31C5371C9E,SHA256=E16A3D368A8C875C6BF77103497C97F96C85FD683C49975A7DD4660C9F692438,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034148Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:08.559{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=804ED2C4280FA758ED03C2AB16F24A39,SHA256=7B247593F80FEA2B60B622B3A0F892877F206CCC9BE22A6FC13B377F40F5CA31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018345Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:09.603{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C1D0A97EA1F07A8C54F30185B91906E,SHA256=D5A173DD681BF0BB77AEBE6CD947C69B24119CBD9A5B18AFA9ABAA094FF40EDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034149Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:09.559{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=529755264045E6FD90CDAA84ACF84479,SHA256=E377B00D789C50DB072FEF0A2E204B7F1648730840A42FBE6EE30DFD4F78FF42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018346Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:10.790{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8B44C64FE89DF91EB2B66F34A681513,SHA256=D5BBE81BAA823D4AF3E62774252473134278C066BCB84D7C1639BF83382494C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034150Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:10.590{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=062C46B98B4355FB833437801441B6C3,SHA256=898AC1AAC40F9CA1EDD903BB6EA93589955CFAA28E68FBAD2DC9B6EDF586C5D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018348Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:11.962{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D19CA762EAE9F0819F23580A84D55147,SHA256=A6AA95B165407181AF511DADF42FAA481AAD41BA2D633D4E2F7000C8EC362157,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034151Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:11.669{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C5C97290ED13D4E52A362B720493D3D,SHA256=C39D0A5A06629D2B524F38B816DB21DF93ECF2B28406EA3EA3C354F6D4C965B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018347Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:09.323{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50635-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000018349Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:12.978{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89676656B1C549EBE5FC6642F19B72FB,SHA256=DF8C854322C4F370F9210AFB918F6D8AC45C9D524D735D473E7BCB020F207929,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034153Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:12.703{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85A0A4B7F25FE417D4A671A5369F36B7,SHA256=0B156842AB0FFF257317D01C1EF8D9502F797D4B3DD2F40B5153FD41BA389274,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034152Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:12.375{6EDEAD03-FC2A-615B-3000-00000000FB01}2280NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00ade5b11017bd16f\channels\health\respondent-20211005071805-083MD5=AA6F78CCC35FD74424B933C975A9F779,SHA256=482DFC86E7C4A11E76E3E352EB64B396C84C083D9F57F37823883232EC55A225,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018350Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:13.978{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0253CAD14A4CB5D63B5B83F345C14710,SHA256=E001F9BD2ACA10C71F8B5801DADCA4EB8D9E199E8267D95AB9584FFFC231E1D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034155Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:13.717{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFDA776FB8ECF70EEB4DAB1FE625D4F7,SHA256=8CBF0D73F8F93499B06788A0406F3109E55601655BFE6A948F1BAB60A4E57463,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034154Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:13.376{6EDEAD03-FC2A-615B-3000-00000000FB01}2280NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00ade5b11017bd16f\channels\health\surveyor-20211005071802-084MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018351Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:14.993{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E7C56558905173BDFFD61992CC3E3F8,SHA256=2A0AAC1450D19158CF3004D39E789D67E00AC53D9A579E2B6C4B2F56BB05DCF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034157Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:14.720{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF1F38BD5C942564F425B97946D37E31,SHA256=E4A5F57BF87AEFED0D74C6033E0A7D83F84DB380FDA2A60372DDDB8F72AA4525,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034156Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:11.662{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52405-false10.0.1.12-8000- 23542300x800000000000000034158Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:15.720{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC0AACBC586FA505E911E453B7854041,SHA256=C10A05942AEFEC26FE1934E60141C7F02DAB09A420F60BFACF350710900BC49F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034159Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:16.720{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF25D38F75160AB868F42E8A23816BC1,SHA256=FBA9062681515FAF81E03C1FD72B4203B0D98D8BC12B11C1AC7A1873B61E3752,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018353Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:15.120{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50636-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000018352Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:16.009{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22C13169B12F037AE5720A7E1141BE43,SHA256=79424139EB95C6F3EF3FFFFB0D3D1B6E282586BF9C1F2CB46572CC0CE5B8D978,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034162Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:17.876{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B030B669B93C3E93354A6B848BB40CC,SHA256=B755BA95A097968C5F0573D8FAB50866DE5004F8EF79B1E29DAB3D7B8963586F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034161Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:17.876{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=25B7B8305B5770D982E3C5B15DB7000A,SHA256=0C129935CE5E448AC2A31F6E0DAB762B65E2DD1FBAEE316DF622E782170B34D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034160Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:17.721{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7828B8334DC1F9893729FA3C5EB123A,SHA256=A92DBE18D26E8E70B43F8229358EE154B52C8DFE46ED0D0C0D0EC36F37758560,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018354Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:17.024{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EB3A6BC3F84FB9D92B726E44149E724,SHA256=E5336DF37561501F3F545295471F67AEF192760E96C1C5A8FD00F5B2F285D016,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034165Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:18.736{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F163BD8AF089D46D4698B67C5F65174B,SHA256=C338658A4D7F42F284BE700F08806FB2D269E9CB9EF8EB787EAA96350AD06E1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018355Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:18.024{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=723ED378B3A986B89D9DB86F2007CFF9,SHA256=82588594D540DABE57D4882830AB7135E81E508559157CD812385E24F5613F63,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034164Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:16.460{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local52406-true0:0:0:0:0:0:0:1win-dc-676.attackrange.local389ldap 354300x800000000000000034163Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:16.460{6EDEAD03-FC2A-615B-2900-00000000FB01}2912C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local52406-true0:0:0:0:0:0:0:1win-dc-676.attackrange.local389ldap 23542300x800000000000000034167Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:19.751{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BADE4E0ABD2A599D8F61964C652C1A75,SHA256=9AB61E1C455AD1797B4003481EBE1E6C4AC8731108398317BF9C9163A2BFE289,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018356Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:19.024{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98B360D8130894FDD1A799DCF6D2AA52,SHA256=EA2B8FDDC464D71E6E9A9F0DD5EF9796A63A041E8AC50B7C05582DD4EC95A021,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034166Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:17.631{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52407-false10.0.1.12-8000- 23542300x800000000000000034168Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:20.766{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A698400A5F2690876C4484EBBB928D65,SHA256=D7D93E982B9CDE5F418BA1EA43D4F6DB79D29D68576868A9DDE99B3F96E35FCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018357Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:20.029{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1ED43D1F89304E19BDE4751ED44B418,SHA256=267755A9B5120A911B5148FDF4D93AA603DA1E13E339D05C3412E825827FBC62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034169Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:21.766{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=085C677363928500A23AC7897C2EE524,SHA256=26A6B8F9EDB77F3CF6FBFC803B5AFE9B9428BDF56FBF956038054DEB97EBB761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018358Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:21.029{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF75B50B78CC7778CA6FBF7AE62E4258,SHA256=1EF20C05B807B0D7535FD3495E0ACDAF0552E60ED9B6D64765D8694697608864,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034170Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:22.782{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3B7C6ACA77AAC6135252CFEC02FF875,SHA256=E704EDE1C0AB0B0871F167ABE2B11D85D84D9D95AC535672D972B597D70C4503,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018360Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:20.281{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50637-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000018359Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:22.044{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE371F09A2010CA5DE95D41557F3E925,SHA256=6309F420A4A3BA03BBA660AD34944098B55498CEADE70610C0DBBABCF3009B0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034171Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:23.782{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8F11C72B55074B831CEC42E80CF0A34,SHA256=F554A951F3A642EB57518BD648E184D2874B5F845E2C48F96E6E91314CD21E56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018361Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:23.060{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5B4DDDFAEFDEC151140D5D67E37857F,SHA256=896DA49C0BBC82DA14FFD4CC99A936F0075782973C75163253167DC2394A627B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034173Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:24.798{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD31EF40715589B81718ED9A2184EF6B,SHA256=C94BB96F15453A3F412FE1C700535F0E18B823EE51A2C7EAAC6BACA5D9B554DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018362Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:24.075{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06ECEB5CAA00C2E49F668DA00301ECBD,SHA256=7A1ED7FF794D7E8BC6600D3B1E1D45A1DE51F32850F80AD4D6AA69DA61578185,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034172Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:22.833{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52408-false10.0.1.12-8000- 23542300x800000000000000034174Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:25.813{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0101C41F4AFC8D59098D0ADC6C9496E7,SHA256=6FC05F900F33E4038171F7509D5142D917A4AFA100C1262CE591CF0210925D89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018363Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:25.091{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F97DF6B68CE9965097DDFFE0B71D0827,SHA256=29DFAB7B7D82E6C3F2891A0FE38A094864662EA49A5764103CB26DB2A77520DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034175Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:26.829{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CE2D0C2529D66CEB6B1EF3DE1277AFF,SHA256=9AD951AAFBCB8703108CF215EAB74941F6373D064AECC7B5ADA6D1E272CCC6F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018364Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:26.091{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=877DDBA20A8ECF9B782354AFD933A90A,SHA256=8DAA9CC3D8087FDCCBFA6238521826F2E5D48EA16B6AA81529EFBCD3195BC89D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034176Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:27.829{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA613A37F7A2D5BD9CE17F333F7C8BD9,SHA256=6AD0FA38CC1A8E75278CACC1EF1F1A697A71DAD9B040F63EC195E57A249DD797,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018366Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:26.234{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50638-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000018365Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:27.107{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A48D1D142452EC4ACD020AA3FCFF3B1,SHA256=E2D9E1F7E02FB40CED16AE4B80EE17A9136805B1C032CAB156A6A01BA82F3410,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034177Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:28.829{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6284BCECC05A4919FB458EC992DF00BD,SHA256=2C12A283C1BE95D42B80B089F8883151310865A71F42894B61EB8BD23B5BC95B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018367Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:28.107{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=592165020C3952D543B362DD355E3FAD,SHA256=5EE1FE4CB721216C87EF3A4DAD2FFA26B66598A04A5CDF25CCDD49502458BA4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034178Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:29.860{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D4159D1C774ED83F5DD76DAC18AF712,SHA256=61CED0AFC290237316B007438F27C5A166317C282682481EB9DADE9F99C1371E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018368Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:29.107{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06A9A947CA8E746A292E692AD227C010,SHA256=2A556C64B705AB0FE155ABCFA73A047BF39C7B6605162772F22D746142C629DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034181Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:30.891{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A212D1E03B2CE57D8F3DCA2F2783CDD8,SHA256=6238184C97F9DCD448673FF49014CAA4E7AC733BBFA61D779D0A58A12564D2A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018370Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:30.985{49C67628-FDEC-615B-1F00-00000000FC01}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04b3958ebc31dc11b\channels\health\respondent-20211005072534-076MD5=9DBD3CF651CAD1963D7DD9E70795396E,SHA256=D00FE5240C0E39CC33FD8ADFFDA13197E8833401D0A3D05F731F6A79B8E00229,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018369Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:30.122{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77DA753A56710F8E994F0E787D043761,SHA256=CAD076BB1EEC4AF1B4535B00783CC1D8434FFD5F585906BD5297AF3270BE1E69,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034180Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:28.895{6EDEAD03-FC1D-615B-1200-00000000FB01}616C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server 354300x800000000000000034179Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:28.740{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52409-false10.0.1.12-8000- 23542300x800000000000000034182Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:31.907{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FB3C132CA8DAED0AC05A36691EF5534,SHA256=89C0D1E3F36818C096C76462F5B88EA5A893C2EF16F43E559F86A7C36751647A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018372Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:31.990{49C67628-FDEC-615B-1F00-00000000FC01}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04b3958ebc31dc11b\channels\health\surveyor-20211005072532-077MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018371Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:31.130{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00FFEBF9FB769D533896A9C224523E9D,SHA256=6A02E1C5760E5A25865854986E6DACDE73F58897F40139013D13E87F63C56BEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034183Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:32.954{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8283B8B11A8704D069A48B395B46687F,SHA256=F7E85541D0095E396E69E345534A1B24658711761B730795F4F0FAB493EAFEEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018374Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:32.598{49C67628-FDEB-615B-1100-00000000FC01}964NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=CC48B40BAC9F37F2E98AF6C3C40D85EF,SHA256=196917A68110D39083A262FF79AE292FEC1E1CDDEE138EF11D282F73C4FDBDDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018373Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:32.144{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A7A67470427391FF365CC096CFE0CD8,SHA256=A96F1E19FB57913BF9FE278500FB786A8327FC9A75D0769940D1B8D0C72DA8DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034184Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:33.985{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FD1FE79F7FB3E7D049D95E83DCAAB8E,SHA256=21AC2AB98CD160A4CDB10A02EF0791D6F2268A2B8784705F625AECD2237A7F77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018375Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:33.145{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91761BDC8C8F10DEEA731E0C1B4966A4,SHA256=EA8360B8866CAC70D83F8B7A16EA4157DF4EF4325A454807C7BA4F49F60C7D50,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018377Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:31.272{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50639-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000018376Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:34.161{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10EBA2D8A0185F4121B32869E2F122E0,SHA256=0E16EF674A0CA0D80E5E31018B01BA99116BD92788C3B83A96C22880525CC985,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018378Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:35.161{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E852C24938D28F373155FA69D03C6BF9,SHA256=055C9F4DF7FBD0F55C0C1B2DD359AA66AF85CC625CD10B5A5E83EE1619C5BCB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034185Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:35.001{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A8773D25F891DB4008894FE2D49BA64,SHA256=A034D4877CEB203290265A35D8DA572CE59EE81E277BDDFB6A777668199ED241,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018379Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:36.161{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A906EEB07128E480886C24D9BB2BDDF6,SHA256=2041EAB67FF6B674A0C13F73FD976F11ACD7E71BD500F9D6361B37855C329917,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034186Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:36.016{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2DFBBDED43F125CCA364269BFD88BB2,SHA256=F4FD8EC67D66F266FE4BE0B617B2FD9200CDE0157556295E428EB16ECEBA3EC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018380Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:37.176{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0197ABC6112ED5284E84E44B3229E630,SHA256=1A18BA7A9343C952072C83FAD40352ADC3C9019BA57BAFD7C43E3FBFE3CF7C57,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034188Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:34.724{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52410-false10.0.1.12-8000- 23542300x800000000000000034187Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:37.016{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43547DA82991F80DA187727B257301D5,SHA256=F18E5D1D479991CDFECDCC0B4CE1E225AAF532391529AF3620A1923B5FE35ECB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018381Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:38.192{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FC284AD9E2A5C393052104821DD6490,SHA256=FA214ADE820B2F6452642217E46741E057D15E825298AB4390A83E81D2B78DA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034189Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:38.048{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9448E9BBFEF96CDBF469FE5D989FEE0E,SHA256=47A5A2DA7674C447833661D0CDFB70F99B72A74811825C85CAFC22D64759A6DD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018383Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:37.288{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50640-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000018382Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:39.208{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B032287CDE1D77170B7E1A9F3A69E87E,SHA256=03AE37B0451E2D154B1986DE678224DE3F5264936F3A3C38FB94685679E27EFB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034198Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:39.485{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-1077-615C-E306-00000000FB01}5784C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034197Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:39.485{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034196Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:39.485{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034195Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:39.485{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034194Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:39.485{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034193Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:39.485{6EDEAD03-FC1A-615B-0500-00000000FB01}412528C:\Windows\system32\csrss.exe{6EDEAD03-1077-615C-E306-00000000FB01}5784C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000034192Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:39.485{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-1077-615C-E306-00000000FB01}5784C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000034191Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:39.486{6EDEAD03-1077-615C-E306-00000000FB01}5784C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034190Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:39.048{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AC1FB86D7F744675E330B73E02D58D9,SHA256=94426F6239EF884B3153F3A500FF36D1032E14A64C2088DFFFC50A0B86F5D551,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018384Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:40.221{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=680D26C9EF8E1219DE48743DCCF5C242,SHA256=C31AA2FE99DA616A6D58AD54F0A9929578E4C8699D701D0FD7CFD3F7D8823D44,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034226Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:40.740{6EDEAD03-FF62-615B-F802-00000000FB01}50525756C:\Windows\Explorer.EXE{6EDEAD03-0272-615C-3205-00000000FB01}5632C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034225Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:40.740{6EDEAD03-FF62-615B-F802-00000000FB01}50525756C:\Windows\Explorer.EXE{6EDEAD03-0272-615C-3205-00000000FB01}5632C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034224Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:40.740{6EDEAD03-FF62-615B-F802-00000000FB01}50525756C:\Windows\Explorer.EXE{6EDEAD03-0272-615C-3205-00000000FB01}5632C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034223Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:40.740{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-0272-615C-3205-00000000FB01}5632C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034222Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:40.740{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-0272-615C-3205-00000000FB01}5632C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034221Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:40.740{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-0272-615C-3205-00000000FB01}5632C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034220Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:40.740{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-0272-615C-3205-00000000FB01}5632C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034219Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:40.724{6EDEAD03-1078-615C-E506-00000000FB01}67127164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034218Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:40.568{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-1078-615C-E506-00000000FB01}6712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034217Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:40.568{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034216Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:40.568{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034215Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:40.568{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034214Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:40.568{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034213Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:40.568{6EDEAD03-FC1A-615B-0500-00000000FB01}412428C:\Windows\system32\csrss.exe{6EDEAD03-1078-615C-E506-00000000FB01}6712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000034212Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:40.568{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-1078-615C-E506-00000000FB01}6712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000034211Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:40.569{6EDEAD03-1078-615C-E506-00000000FB01}6712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034210Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:40.521{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=58217034B5402A17753000B9A4ED0C6C,SHA256=05CC0A0DCE827C7CC8CAA66B49113DECA41CCCBF05A8B8C7E061B9A1A4DF2EB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034209Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:40.521{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B030B669B93C3E93354A6B848BB40CC,SHA256=B755BA95A097968C5F0573D8FAB50866DE5004F8EF79B1E29DAB3D7B8963586F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034208Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:40.068{6EDEAD03-FCBF-615B-AF00-00000000FB01}416NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=77A3FAE6E3D081057742F67BE17D48F0,SHA256=B45196262D41012541FDA928C2D6D89C531ACA10A8054FE8E2047913CDE27561,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034207Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:40.052{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA84AB59176A0CA9AF29AC818E84AE8F,SHA256=716E89596FFC4395B0F1CB67CD76398396EF05EDBBE1EE20F840689DCCB25D2E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034206Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:40.052{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-1078-615C-E406-00000000FB01}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034205Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:40.052{6EDEAD03-FC1A-615B-0500-00000000FB01}412428C:\Windows\system32\csrss.exe{6EDEAD03-1078-615C-E406-00000000FB01}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000034204Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:40.052{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034203Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:40.052{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034202Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:40.052{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034201Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:40.052{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034200Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:40.052{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-1078-615C-E406-00000000FB01}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000034199Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:40.053{6EDEAD03-1078-615C-E406-00000000FB01}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018385Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:41.221{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA0E9735ECC18791E8EA054CE24D33FC,SHA256=67A9852DA466BA5E852611E06CA321181EF15EFD5BEBBA081AB81A4846E17CCF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034229Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:39.651{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52411-false10.0.1.12-8089- 23542300x800000000000000034228Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:41.599{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=58217034B5402A17753000B9A4ED0C6C,SHA256=05CC0A0DCE827C7CC8CAA66B49113DECA41CCCBF05A8B8C7E061B9A1A4DF2EB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034227Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:41.193{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71935AFE839129D80C13D59771A1B0EC,SHA256=17AD4701B7E2ADD8795BB2F43C0819D30188A4659CC9B02A32CBA063CF9897B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034240Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:40.744{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52412-false10.0.1.12-8000- 10341000x800000000000000034239Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:42.568{6EDEAD03-107A-615C-E606-00000000FB01}63244136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034238Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:42.380{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-107A-615C-E606-00000000FB01}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034237Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:42.380{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034236Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:42.380{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034235Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:42.380{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034234Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:42.380{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034233Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:42.380{6EDEAD03-FC1A-615B-0500-00000000FB01}4122304C:\Windows\system32\csrss.exe{6EDEAD03-107A-615C-E606-00000000FB01}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000034232Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:42.380{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-107A-615C-E606-00000000FB01}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000034231Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:42.381{6EDEAD03-107A-615C-E606-00000000FB01}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034230Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:42.349{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=367E1D781509DF502E1B1D9506541135,SHA256=2D0ED23C4FA23ED64804D5AEAE4E83B0BD0D28A33150101483B280A92F92D96D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018386Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:42.237{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60C325E43990AE296D4284073DA54E94,SHA256=42F9F352FE3EA8BA5A9BF87B1A13AA853CC32EBCB8740B7AEF796A6FEEC75DEF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034259Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:43.568{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-107B-615C-E806-00000000FB01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034258Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:43.568{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034257Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:43.568{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034256Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:43.568{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034255Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:43.568{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034254Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:43.568{6EDEAD03-FC1A-615B-0500-00000000FB01}4122304C:\Windows\system32\csrss.exe{6EDEAD03-107B-615C-E806-00000000FB01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000034253Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:43.568{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-107B-615C-E806-00000000FB01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000034252Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:43.570{6EDEAD03-107B-615C-E806-00000000FB01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034251Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:43.396{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F15A8468FE351EE4D26E9B2DB046271F,SHA256=B6D6397FBC44ABEC213458A1CE080A64D71587F041694DEF89049893E6DBB3E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034250Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:43.349{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48517FA6A72B6B43E468B116F6852142,SHA256=7B7DA8D8115F9B8B2C9B8A706BE2859825FADF3D3A038F1CECEC6A5BB78442A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018400Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:43.893{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-107B-615C-0103-00000000FC01}848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018399Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:43.893{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018398Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:43.893{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018397Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:43.893{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018396Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:43.893{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018395Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:43.893{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018394Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:43.893{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018393Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:43.893{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018392Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:43.893{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018391Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:43.893{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018390Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:43.893{49C67628-FDEB-615B-0500-00000000FC01}4161032C:\Windows\system32\csrss.exe{49C67628-107B-615C-0103-00000000FC01}848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018389Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:43.893{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-107B-615C-0103-00000000FC01}848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000018388Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:43.894{49C67628-107B-615C-0103-00000000FC01}848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018387Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:43.252{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4ADB7EC0FEC049329FB4F81BE0E8BD6,SHA256=B2C03F0CAED9BC12F184F93F523C1B07226B0AD145F4D1EE49CCA1BBF2E8D31E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034249Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:43.224{6EDEAD03-107B-615C-E706-00000000FB01}57206384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034248Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:43.052{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-107B-615C-E706-00000000FB01}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034247Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:43.052{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034246Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:43.052{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034245Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:43.052{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034244Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:43.052{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034243Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:43.052{6EDEAD03-FC1A-615B-0500-00000000FB01}412528C:\Windows\system32\csrss.exe{6EDEAD03-107B-615C-E706-00000000FB01}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000034242Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:43.052{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-107B-615C-E706-00000000FB01}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000034241Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:43.053{6EDEAD03-107B-615C-E706-00000000FB01}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034270Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:44.584{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=33CBD2E3D28D615B45F24AF2CF3952E8,SHA256=4D9EDDE421C8A30503FEECB4991C788BC41EE3C30A048893713003FFE5E41EFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034269Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:44.443{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF5EEBDED913C70339D0E1138F8A216A,SHA256=6FE18C973D931AE3CB32927BD82E482A4A662E4C3B4E13D8CA0D08A1E6FDBE4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018418Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:44.924{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5A1576F60D0B6307EBDA7C1289D4CC9A,SHA256=10F9C78DC9D43662B2EFB1C9DA607F974A3E08879963AD01253513F1C33447D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018417Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:44.924{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A07F3E6E44B483A8E155181435DA7E12,SHA256=A7FBC24848C420E0D8CD7CEF767FC63D8B9A399E0BDDA47A903BE73E0EB428AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018416Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:43.270{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50641-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000018415Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:44.455{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-107C-615C-0203-00000000FC01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018414Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:44.455{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018413Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:44.455{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018412Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:44.455{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018411Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:44.455{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018410Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:44.455{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018409Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:44.455{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018408Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:44.455{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018407Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:44.455{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018406Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:44.455{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018405Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:44.455{49C67628-FDEB-615B-0500-00000000FC01}4161032C:\Windows\system32\csrss.exe{49C67628-107C-615C-0203-00000000FC01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018404Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:44.455{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-107C-615C-0203-00000000FC01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000018403Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:44.457{49C67628-107C-615C-0203-00000000FC01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018402Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:44.268{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13024BA614C26E36909CEFEF4C4DB42F,SHA256=A818F3E8FB3C9396A676D0FD3853609C722FC26278822544A8496F302093CB56,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034268Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:44.412{6EDEAD03-107C-615C-E906-00000000FB01}65326536C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034267Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:44.240{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-107C-615C-E906-00000000FB01}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034266Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:44.240{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034265Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:44.240{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034264Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:44.240{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034263Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:44.240{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034262Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:44.240{6EDEAD03-FC1A-615B-0500-00000000FB01}4122304C:\Windows\system32\csrss.exe{6EDEAD03-107C-615C-E906-00000000FB01}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000034261Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:44.240{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-107C-615C-E906-00000000FB01}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000034260Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:44.241{6EDEAD03-107C-615C-E906-00000000FB01}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018401Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:44.049{49C67628-107B-615C-0103-00000000FC01}8483616C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000034271Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:45.490{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6DCEADC86736ECEFDA15B04E04C7F86,SHA256=9FA8710C9F33F04A4904DE6552E4C2491200CC6F0F4C93FDE2603D7B11C51C03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018432Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:45.705{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AA4A37F67927BC324B371F5B464DD27,SHA256=2E7FF5FEEAD57E88636B8169181E80B13E4EB16AD7F2F77EC116FD955840FAF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018431Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:45.080{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-107D-615C-0303-00000000FC01}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018430Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:45.080{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018429Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:45.080{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018428Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:45.080{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018427Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:45.080{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018426Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:45.080{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018425Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:45.080{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018424Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:45.080{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018423Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:45.080{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018422Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:45.080{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018421Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:45.080{49C67628-FDEB-615B-0500-00000000FC01}416532C:\Windows\system32\csrss.exe{49C67628-107D-615C-0303-00000000FC01}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018420Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:45.080{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-107D-615C-0303-00000000FC01}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000018419Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:45.081{49C67628-107D-615C-0303-00000000FC01}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034272Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:46.552{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77A3CFED2862D83ED79EC197C86BCD7C,SHA256=498888AF99FBE49EBEAF3FF0164DF72A1086FA98511BF484480EE4531864B702,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018448Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:46.815{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9E98C4179474DC71D0B8EB47835A195,SHA256=1963139BF1B4B87E278EB9F6292ACC1A6F4609199787758B5DD43218C48EAB5B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018447Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:46.299{49C67628-107E-615C-0403-00000000FC01}31203244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018446Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:46.143{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-107E-615C-0403-00000000FC01}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018445Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:46.143{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018444Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:46.143{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018443Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:46.143{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018442Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:46.143{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018441Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:46.143{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018440Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:46.143{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018439Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:46.143{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018438Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:46.143{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018437Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:46.143{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018436Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:46.143{49C67628-FDEB-615B-0500-00000000FC01}4161032C:\Windows\system32\csrss.exe{49C67628-107E-615C-0403-00000000FC01}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018435Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:46.143{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-107E-615C-0403-00000000FC01}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000018434Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:46.144{49C67628-107E-615C-0403-00000000FC01}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018433Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:46.096{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5A1576F60D0B6307EBDA7C1289D4CC9A,SHA256=10F9C78DC9D43662B2EFB1C9DA607F974A3E08879963AD01253513F1C33447D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034274Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:47.787{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBA8F18DA03DA5F3C842B0097DABD2B7,SHA256=375BE36720B99BC780412DD8CCE899F13C6063DFDA7B129CC27F3490E74D8C99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034273Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:47.787{6EDEAD03-0272-615C-3205-00000000FB01}5632ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2021-10-05_084358MD5=9BA101C5689E4208141D5168C6B44D72,SHA256=0865829E5880888F3AA5CC0B403B5A30B7822D87EB3FB57AE27D3441849DFD2B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018463Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:47.940{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-107F-615C-0503-00000000FC01}3064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018462Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:47.940{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018461Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:47.940{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018460Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:47.940{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018459Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:47.940{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018458Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:47.940{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018457Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:47.940{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018456Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:47.940{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018455Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:47.940{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018454Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:47.940{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018453Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:47.940{49C67628-FDEB-615B-0500-00000000FC01}416532C:\Windows\system32\csrss.exe{49C67628-107F-615C-0503-00000000FC01}3064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018452Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:47.940{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-107F-615C-0503-00000000FC01}3064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000018451Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:47.941{49C67628-107F-615C-0503-00000000FC01}3064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018450Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:47.846{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA71ECC9206439964134AC57A0C0FABE,SHA256=125A126B2FEF43C7C9C15DC6DB1E067E089593648F550A83DD3A358EECF2F15C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018449Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:47.174{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A0DA2EF6CF7519E3BAAA7841E08FE1E1,SHA256=3D365CFBC9CC546A4DD19F3FF5059E7114912FD1FB8F987A0DE4D5B39B34673F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018480Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:48.971{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4EC320FC2B9D84B50A88B4325E5F7843,SHA256=51A3FBDAD1B34A1AC72599269364E2DD044A4E8C7B3D4573B426696DA071D881,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034275Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:48.865{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9003BDA9380BB72A8F39D0C212F3AE5,SHA256=C0B765130D5CC1E9A7EAD8B7DD6BA65F533AFB30F17547174F60B7EEC03ACED1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018479Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:48.830{49C67628-1080-615C-0603-00000000FC01}34961988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018478Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:48.612{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-1080-615C-0603-00000000FC01}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018477Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:48.612{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018476Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:48.612{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018475Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:48.612{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018474Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:48.612{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018473Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:48.612{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018472Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:48.612{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018471Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:48.612{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018470Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:48.612{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018469Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:48.612{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018468Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:48.612{49C67628-FDEB-615B-0500-00000000FC01}4161032C:\Windows\system32\csrss.exe{49C67628-1080-615C-0603-00000000FC01}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018467Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:48.612{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-1080-615C-0603-00000000FC01}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000018466Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:48.613{49C67628-1080-615C-0603-00000000FC01}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018465Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:48.346{49C67628-FE68-615B-9F00-00000000FC01}1772NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=77A3FAE6E3D081057742F67BE17D48F0,SHA256=B45196262D41012541FDA928C2D6D89C531ACA10A8054FE8E2047913CDE27561,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018464Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:48.112{49C67628-107F-615C-0503-00000000FC01}30643008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018497Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:49.987{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B698E4F5BB3C55C2ACA7BF14A37A727,SHA256=8A0344B4C848AC8FADA4F4CA63984E918AE91F8C05595EA5118BB000813ED8D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034277Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:49.880{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8378810A77C37F28422EB5FAC697EC2F,SHA256=6C196084229DD8ADAA82DCA3C73A7D6BA607593C8C0FA6F59F7E08649499B605,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018496Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:48.395{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50643-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x800000000000000018495Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:48.303{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50642-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000018494Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:49.112{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9C359B1E57F60E703729F403B8838C3,SHA256=270DD2AD3738F5E23263F2A04BF4F6188476DFE9160DCE16ED0DAD898DEBBB65,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018493Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:49.112{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-1081-615C-0703-00000000FC01}2824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018492Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:49.112{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018491Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:49.112{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018490Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:49.112{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018489Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:49.112{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018488Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:49.112{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018487Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:49.112{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018486Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:49.112{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018485Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:49.112{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018484Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:49.112{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018483Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:49.112{49C67628-FDEB-615B-0500-00000000FC01}416432C:\Windows\system32\csrss.exe{49C67628-1081-615C-0703-00000000FC01}2824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018482Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:49.112{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-1081-615C-0703-00000000FC01}2824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000018481Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:49.113{49C67628-1081-615C-0703-00000000FC01}2824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000034276Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:46.666{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52413-false10.0.1.12-8000- 23542300x800000000000000034279Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:50.881{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4191F196B4745F86A9CC114ADA71EF0B,SHA256=9996022C3BCABD60760551078BB4A0BC1AFF284CFB425392961C08B05167DCB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018498Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:50.268{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=969F366F1E75679CC00DE49AE5AE58CF,SHA256=F37FB69B835159FED6275F1897E627682D7E25684F4A0439AA3529A95AE10EEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034278Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:50.849{6EDEAD03-FC1D-615B-1200-00000000FB01}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=0AE800F95741E03DEF0E2114EFC21A3E,SHA256=5C19C007730B805277569F582692D996C3CADD99A0E2BAF930F751D3E350923B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034280Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:51.896{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B883DD4AF79D3EB15DB3D409755D23C6,SHA256=F25D523A437172291FE992D7E624ED8B50CED83F3661D31BF7DCB0484505A38B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018499Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:51.221{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24AD92405B8D291CBAAB58085D698258,SHA256=748D18B6146DF2B740977ED2DECCB1F92DE9BB9B1D77BE39DD465D0F4BAFAB9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018500Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:52.346{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C21EFCF4203114F03BE6E557BD07CCE,SHA256=D866843777020B80C1A08B2CA97DC93C9B642E20B6CF190CC6BDF988E8F58A02,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034315Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:52.709{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6E-615B-2103-00000000FB01}5980C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034314Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:52.709{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6E-615B-2103-00000000FB01}5980C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034313Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:52.709{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6E-615B-2103-00000000FB01}5980C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034312Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:52.709{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6E-615B-2103-00000000FB01}5980C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034311Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:52.709{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6E-615B-2103-00000000FB01}5980C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034310Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:52.709{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6E-615B-2103-00000000FB01}5980C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034309Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:52.709{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6E-615B-2103-00000000FB01}5980C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034308Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:52.709{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6E-615B-2103-00000000FB01}5980C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034307Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:52.709{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034306Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:52.709{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034305Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:52.709{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034304Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:52.709{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034303Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:52.709{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034302Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:52.709{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034301Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:52.709{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034300Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:52.709{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034299Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:52.709{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034298Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:52.709{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034297Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:52.709{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034296Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:52.709{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034295Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:52.709{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034294Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:52.709{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034293Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:52.709{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034292Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:52.709{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034291Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:52.709{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034290Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:52.709{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034289Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:52.709{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034288Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:52.709{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034287Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:52.709{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034286Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:52.709{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034285Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:52.709{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034284Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:52.709{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034283Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:52.709{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034282Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:52.709{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FC1D-615B-1100-00000000FB01}480C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034281Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:52.709{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FC1D-615B-1100-00000000FB01}480C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018501Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:53.362{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27472AC65C214708DAF33A113F5831B3,SHA256=D8494CE248C02F8928620A2D458D467D01A320AD63E3CFF30C7ECC993871639C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034316Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:53.318{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A296646F12ED595E45707DC7BD6F1EE2,SHA256=B127742AD6CFC14AD83BB0210D7724E0AC87F734DCE2B456AB765D39851FEEF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034318Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:54.802{6EDEAD03-0272-615C-3205-00000000FB01}5632ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2021-10-05_084358MD5=8E4717375743C108E8F599A397B183F9,SHA256=84F9D9B95BE9F0861DC2FAD4F4A824B00DB57FBEC4208BCF0730E352C58A3B2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034317Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:54.443{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63219331276923E8A191C5821A088F88,SHA256=4773EB79F900B1D3976513532B3ED8705A388ED8A9E60D73C581DDBA7801C6E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018502Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:54.377{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12DE88325D85450FEAC969B380B3646D,SHA256=26EA92A0A92159D95324EE7D9BD3A0F4787E9C5716E6D17CBCE5761766FB5326,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034320Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:55.474{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C8B92664AC5D1CAD22640982C95AA71,SHA256=BDA5EAA867793E258840F2FB00F3D3D9934C2B406EF6F22C2E94A91645259A38,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018504Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:54.223{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50644-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000018503Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:55.377{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A037D46C1CAC2AB10776ACCDB0C7282C,SHA256=9A657042C093BBE32180BCD7E62A649CE957A9838C323D41F31BD730084F873B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034319Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:52.666{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52414-false10.0.1.12-8000- 23542300x800000000000000034321Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:56.599{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E68DB270DE980C683B56BCCF75531C3,SHA256=1ADC92D5CA2E11F52E50CE3E80A0C03642A952F65FF4614FBE7CE76674417CEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018505Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:56.377{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9053444A38CD1DF1CD34E060B4C6340,SHA256=28697B90E24D02F86240AC5A4E9C28F2F420162C35EB672917079FAC9D04D267,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018506Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:57.612{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89109514041643D754E21EFFDE6D4B77,SHA256=1024B2D7B77C0A5B2F4B784F65BDABE360AC92C8E62BE8B7098612B7CF2B3079,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034322Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:57.756{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3829F5FBEEC4C47C138166190993015F,SHA256=F4AD2F01C21979AAD5A46E6D8158E870E0386AA9630EB4EF6E2898F181D41268,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018507Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:58.768{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE89DBAA0AFD089D3B1D96D901AD1A54,SHA256=113984D14609825CF42389ECD73FE685B0CA2D9C4B66DCD4BFCB8BA47AA3362A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034399Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:58.865{6EDEAD03-FF62-615B-F802-00000000FB01}50525744C:\Windows\Explorer.EXE{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000034398Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:58.865{6EDEAD03-FF62-615B-F802-00000000FB01}50525744C:\Windows\Explorer.EXE{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000034397Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:58.865{6EDEAD03-FC1D-615B-0C00-00000000FB01}8487068C:\Windows\system32\svchost.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034396Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:58.865{6EDEAD03-FF62-615B-F802-00000000FB01}50526932C:\Windows\Explorer.EXE{6EDEAD03-FF6E-615B-2103-00000000FB01}5980C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034395Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:58.865{6EDEAD03-FF62-615B-F802-00000000FB01}50526932C:\Windows\Explorer.EXE{6EDEAD03-FF6E-615B-2103-00000000FB01}5980C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034394Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:58.865{6EDEAD03-FF62-615B-F802-00000000FB01}50522660C:\Windows\Explorer.EXE{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034393Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:58.865{6EDEAD03-FF62-615B-F802-00000000FB01}50522660C:\Windows\Explorer.EXE{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034392Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:58.865{6EDEAD03-FC1D-615B-0C00-00000000FB01}8487068C:\Windows\system32\svchost.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034391Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:58.865{6EDEAD03-FF62-615B-F802-00000000FB01}50525848C:\Windows\Explorer.EXE{6EDEAD03-0272-615C-3205-00000000FB01}5632C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034390Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:58.865{6EDEAD03-FF62-615B-F802-00000000FB01}50525848C:\Windows\Explorer.EXE{6EDEAD03-0272-615C-3205-00000000FB01}5632C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034389Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:58.865{6EDEAD03-FF62-615B-F802-00000000FB01}50525848C:\Windows\Explorer.EXE{6EDEAD03-0272-615C-3205-00000000FB01}5632C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034388Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:58.849{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-0272-615C-3205-00000000FB01}5632C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034387Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:58.849{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-0272-615C-3205-00000000FB01}5632C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034386Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:58.849{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-0272-615C-3205-00000000FB01}5632C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034385Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:58.849{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-0272-615C-3205-00000000FB01}5632C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034384Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:58.162{6EDEAD03-FC1D-615B-1600-00000000FB01}12881844C:\Windows\System32\svchost.exe{6EDEAD03-108A-615C-EC06-00000000FB01}5712C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034383Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:58.162{6EDEAD03-FC1D-615B-1600-00000000FB01}12881316C:\Windows\System32\svchost.exe{6EDEAD03-108A-615C-EC06-00000000FB01}5712C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034382Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:58.162{6EDEAD03-FC1D-615B-0C00-00000000FB01}8487068C:\Windows\system32\svchost.exe{6EDEAD03-108A-615C-EC06-00000000FB01}5712C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034381Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:58.146{6EDEAD03-FF5F-615B-E202-00000000FB01}9724272C:\Windows\system32\csrss.exe{6EDEAD03-108A-615C-EC06-00000000FB01}5712C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000034380Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:58.146{6EDEAD03-FC1A-615B-0500-00000000FB01}4122304C:\Windows\system32\csrss.exe{6EDEAD03-108A-615C-EC06-00000000FB01}5712C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000034379Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:58.146{6EDEAD03-FC1D-615B-0C00-00000000FB01}8487068C:\Windows\system32\svchost.exe{6EDEAD03-108A-615C-EC06-00000000FB01}5712C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366e9|c:\windows\system32\rpcss.dll+3bed2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034378Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:58.130{6EDEAD03-FC1D-615B-1600-00000000FB01}12881844C:\Windows\System32\svchost.exe{6EDEAD03-108A-615C-EB06-00000000FB01}6892C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034377Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:58.130{6EDEAD03-FC1D-615B-1600-00000000FB01}12881316C:\Windows\System32\svchost.exe{6EDEAD03-108A-615C-EB06-00000000FB01}6892C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034376Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:58.130{6EDEAD03-FC1D-615B-0C00-00000000FB01}8487068C:\Windows\system32\svchost.exe{6EDEAD03-108A-615C-EB06-00000000FB01}6892C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034375Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:58.115{6EDEAD03-FF5F-615B-E202-00000000FB01}9724272C:\Windows\system32\csrss.exe{6EDEAD03-108A-615C-EB06-00000000FB01}6892C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000034374Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:58.115{6EDEAD03-FC1A-615B-0500-00000000FB01}412528C:\Windows\system32\csrss.exe{6EDEAD03-108A-615C-EB06-00000000FB01}6892C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000034373Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:58.115{6EDEAD03-FC1D-615B-0C00-00000000FB01}8487068C:\Windows\system32\svchost.exe{6EDEAD03-108A-615C-EB06-00000000FB01}6892C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+37172|c:\windows\system32\rpcss.dll+3df8d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034372Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:58.099{6EDEAD03-FF62-615B-ED02-00000000FB01}48006764C:\Windows\System32\RuntimeBroker.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000034371Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:58.099{6EDEAD03-FF62-615B-ED02-00000000FB01}48006764C:\Windows\System32\RuntimeBroker.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000034370Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:58.099{6EDEAD03-FF62-615B-F802-00000000FB01}50524608C:\Windows\Explorer.EXE{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034369Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:58.099{6EDEAD03-FF62-615B-F802-00000000FB01}50524608C:\Windows\Explorer.EXE{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000034368Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:58.099{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=691F829B135FD688C6D176A00CFA8F9F,SHA256=E6A65604E133526E36B9C17439B1D0F9D2F4E7E40EBA151CE51A49584F07F78A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034367Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:58.084{6EDEAD03-FF62-615B-ED02-00000000FB01}48006764C:\Windows\System32\RuntimeBroker.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\execmodelclient.dll+8e62|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000034366Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:58.084{6EDEAD03-FF62-615B-ED02-00000000FB01}48006764C:\Windows\System32\RuntimeBroker.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\execmodelclient.dll+8d5e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000034365Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:58.084{6EDEAD03-FF62-615B-ED02-00000000FB01}48003116C:\Windows\System32\RuntimeBroker.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000034364Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:58.084{6EDEAD03-FF62-615B-ED02-00000000FB01}48003116C:\Windows\System32\RuntimeBroker.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000034363Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:58.084{6EDEAD03-FF62-615B-F802-00000000FB01}5052296C:\Windows\Explorer.EXE{6EDEAD03-FF6E-615B-2103-00000000FB01}5980C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034362Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:58.068{6EDEAD03-FF62-615B-F802-00000000FB01}5052296C:\Windows\Explorer.EXE{6EDEAD03-FF6E-615B-2103-00000000FB01}5980C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034361Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:58.068{6EDEAD03-FF62-615B-F802-00000000FB01}50525744C:\Windows\Explorer.EXE{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000034360Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:58.068{6EDEAD03-FF62-615B-F802-00000000FB01}50525744C:\Windows\Explorer.EXE{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000034359Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:58.068{6EDEAD03-FF62-615B-F802-00000000FB01}50525848C:\Windows\Explorer.EXE{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034358Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:58.068{6EDEAD03-FF62-615B-F802-00000000FB01}50525848C:\Windows\Explorer.EXE{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034357Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:58.068{6EDEAD03-FF62-615B-F802-00000000FB01}50525848C:\Windows\Explorer.EXE{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034356Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:58.052{6EDEAD03-FC1D-615B-0D00-00000000FB01}90896C:\Windows\system32\svchost.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034355Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:58.052{6EDEAD03-FC1D-615B-0D00-00000000FB01}90896C:\Windows\system32\svchost.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034354Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:58.052{6EDEAD03-FC1D-615B-0D00-00000000FB01}90896C:\Windows\system32\svchost.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034353Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:58.052{6EDEAD03-FC1D-615B-0D00-00000000FB01}90896C:\Windows\system32\svchost.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034352Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:58.052{6EDEAD03-FC1D-615B-0D00-00000000FB01}90896C:\Windows\system32\svchost.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034351Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:58.052{6EDEAD03-FC1D-615B-0D00-00000000FB01}90896C:\Windows\system32\svchost.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034350Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:58.052{6EDEAD03-FC1D-615B-0D00-00000000FB01}90896C:\Windows\system32\svchost.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034349Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:58.052{6EDEAD03-FC1D-615B-0D00-00000000FB01}90896C:\Windows\system32\svchost.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034348Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:58.052{6EDEAD03-FC1D-615B-0D00-00000000FB01}90896C:\Windows\system32\svchost.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034347Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:58.052{6EDEAD03-FC1D-615B-0D00-00000000FB01}90896C:\Windows\system32\svchost.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034346Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:58.052{6EDEAD03-FC1D-615B-0D00-00000000FB01}90896C:\Windows\system32\svchost.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034345Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:58.052{6EDEAD03-FC1D-615B-0D00-00000000FB01}90896C:\Windows\system32\svchost.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034344Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:58.052{6EDEAD03-FC1D-615B-0D00-00000000FB01}90896C:\Windows\system32\svchost.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034343Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:58.052{6EDEAD03-FC1D-615B-0D00-00000000FB01}90896C:\Windows\system32\svchost.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034342Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:58.052{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034341Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:58.052{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034340Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:58.052{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FF6E-615B-2103-00000000FB01}5980C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034339Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:58.052{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000034338Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:58.052{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000034337Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:58.052{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FF6E-615B-2103-00000000FB01}5980C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000034336Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:58.052{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034335Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:58.052{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034334Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:58.052{6EDEAD03-FF62-615B-F802-00000000FB01}50523328C:\Windows\Explorer.EXE{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034333Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:58.052{6EDEAD03-FF62-615B-F802-00000000FB01}50523328C:\Windows\Explorer.EXE{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034332Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:58.037{6EDEAD03-FC1D-615B-1600-00000000FB01}12881844C:\Windows\System32\svchost.exe{6EDEAD03-108A-615C-EA06-00000000FB01}5456C:\Windows\System32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034331Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:58.037{6EDEAD03-FC1D-615B-1600-00000000FB01}12881316C:\Windows\System32\svchost.exe{6EDEAD03-108A-615C-EA06-00000000FB01}5456C:\Windows\System32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034330Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:58.021{6EDEAD03-FF5F-615B-E202-00000000FB01}9723852C:\Windows\system32\csrss.exe{6EDEAD03-108A-615C-EA06-00000000FB01}5456C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000034329Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:58.021{6EDEAD03-FC1A-615B-0500-00000000FB01}4122304C:\Windows\system32\csrss.exe{6EDEAD03-108A-615C-EA06-00000000FB01}5456C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000034328Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:58.021{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034327Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:58.021{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034326Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:58.021{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034325Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:58.021{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034324Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:58.021{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-108A-615C-EA06-00000000FB01}5456C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+37172|c:\windows\system32\rpcss.dll+3df8d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000034323Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:58.028{6EDEAD03-108A-615C-EA06-00000000FB01}5456C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXEC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {24AC8F2B-4D4A-4C17-9607-6A4B14068F97} -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{6EDEAD03-FF61-615B-7756-1D0000000000}0x1d56772HighMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{6EDEAD03-FC1D-615B-0C00-00000000FB01}848C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 23542300x800000000000000018508Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:44:59.783{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F690BEB49E76CC6AED43D7031366252A,SHA256=CA42995F7EAD446746034E6A1DFBB55A3A911DE46AF60FC7F301E0D9B2DCFAFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034405Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:59.787{6EDEAD03-0272-615C-3205-00000000FB01}5632ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2021-10-05_084358MD5=34623F8C33A80F456E3422CD540B6A73,SHA256=A445F100676743D98BD65079331635BFC974CDB90EE28EE4CA78F5AB4B604CA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034404Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:59.771{6EDEAD03-0272-615C-3205-00000000FB01}5632ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Program Files\ansible\AttackRangeSysmon.xmlMD5=D48EEE08294BFD77E2759DB6B67F351B,SHA256=2C9D7A35C48E03F6D6841E32AEE8E156B985F220C9F0A4F8C06BA655278EF4E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034403Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:57.697{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52415-false10.0.1.12-8000- 23542300x800000000000000034402Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:59.240{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=17CD05E1DDB6F79E6486BDA4C3B21C60,SHA256=41DB7642E8AE5AF652524635BCEF1E5711D67A8D88985075E5253307D81EB784,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034401Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:59.240{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA614F43D0C4AE315CE0421B46DD0A9E,SHA256=7C97B99CBAFF02315106EE6FFACD1AC684B429FE2764BDCE5C62C3F3945C1D10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034400Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:44:59.240{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2CDC81FB0024DFF2D41420E483E026EA,SHA256=1BD6380F02531E9DDA0929D36341EFC57813DC24FF3EF4EECBA882246A53E84C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018509Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:00.962{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D902620AD4D83DCF9E31701215B7A29F,SHA256=2C29B140122288DCBFF6E34E09C5115F9592EC666FE4A16572A4F86297A5E5C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034406Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:00.247{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11DC15391ABE8A4A5EB750AB37096A18,SHA256=B68C6FAC4102E6ACB7B811C40822FCC3B435A3C337FFD2FE085DF8519421A34A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018510Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:01.978{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D126071DD7F09FCFFFC3E2FCE1ED5324,SHA256=C0E9B378C8A17E01A939768A1BC4753D3D1CFC58AB4D7BBB84220E0FD2DEA4B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034407Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:01.247{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39E6319F5D74B3ED68C822A137B0A108,SHA256=A06819CA052826C7A16F4F828EBFDC5D1D600EAC2D7FCDBA02CE9D2FC906A24F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034408Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:02.294{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3B48AFA937D028ECD406FC86DD4DAC1,SHA256=50C1F1C9F6DC6D588FF9FA176989E4E069E491476BF2B96925AE49763DFFAFD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018512Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:03.197{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A5CF16D1707CD673A5478460094D759,SHA256=F20B3C4F2F6B58149B4A1F1C7DA7AC3AD0DD926D0B8DDAEA40DA28B0C9668F5F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034413Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:03.591{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000034412Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:03.591{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485000C:\Windows\system32\svchost.exe{6EDEAD03-FF6E-615B-2103-00000000FB01}5980C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000034411Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:03.591{6EDEAD03-FC1D-615B-0C00-00000000FB01}8487068C:\Windows\system32\svchost.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000034410Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:03.591{6EDEAD03-FC1D-615B-0C00-00000000FB01}8487068C:\Windows\system32\svchost.exe{6EDEAD03-FF6E-615B-2103-00000000FB01}5980C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x800000000000000034409Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:03.356{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6CF8485531519A01E1826EC96D0600E,SHA256=9171D648F384A782CB498B67FE7F78B4155556C8C13774D85E2BF8ED9C386F7F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018511Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:00.261{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50645-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000018513Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:04.431{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2FA67912B73CE5CB0F491C296E9889D,SHA256=97E58959D46D7657DD4571F2689AFA6ECDFE8BFF41698B4E8470E31B65AEB2DD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034424Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:02.829{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52416-false10.0.1.12-8000- 23542300x800000000000000034423Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:04.372{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1B629285A7A9EF8CF71902FDC26B844,SHA256=4B6D6B8B96D6CB9A2F468E830C062DC44C1A1E0950C42C568114E67883FE2228,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034422Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:04.309{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485024C:\Windows\system32\svchost.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000034421Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:04.309{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485024C:\Windows\system32\svchost.exe{6EDEAD03-FF6E-615B-2103-00000000FB01}5980C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000034420Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:04.309{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485024C:\Windows\system32\svchost.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000034419Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:04.309{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485024C:\Windows\system32\svchost.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000034418Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:04.309{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485024C:\Windows\system32\svchost.exe{6EDEAD03-FF6E-615B-2103-00000000FB01}5980C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000034417Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:04.309{6EDEAD03-FF62-615B-EE02-00000000FB01}49084964C:\Windows\System32\sihost.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034416Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:04.137{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485024C:\Windows\system32\svchost.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000034415Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:04.137{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485024C:\Windows\system32\svchost.exe{6EDEAD03-FF6F-615B-2203-00000000FB01}6020C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000034414Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:04.137{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485024C:\Windows\system32\svchost.exe{6EDEAD03-FF6E-615B-2103-00000000FB01}5980C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x800000000000000018514Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:05.462{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=693EA1E3ED4DAAA128940F1E7C09B5BB,SHA256=7730326B10C0F30ECDAB43EBDF3B74CA87900C067A7C65924B3556B865684E63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034425Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:05.387{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07A5D533D176FC47E20E681D333BC8E1,SHA256=EC3A62CFFC97FADC93149D1E67187649DBADBF30C0D8DF880FEC819A67ECB29D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018515Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:06.462{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA3A5C4CCC51904A96D637664B3779EC,SHA256=1188568E7CD1C472BF9D48AFF2140F1883B1729AAB36D16EEFEA979D5C798AC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034426Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:06.387{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F201E1FD212BF3D3AFFC747FBEEAF3E,SHA256=8B7A38CEC5A88355B77029F15DFCFA8F766B6068F2CD8CE750C2C33332B1D2C9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018517Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:06.136{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50646-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000018516Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:07.572{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6844C412D100C16ABBD557F4DE9711D,SHA256=96673271BD56B7425C4CC6B44C6DC0C6928DE0EBF4BBEBB61BB94F0576972E3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034427Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:07.403{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B85428B4C28B62A44A27EAC0A9E0641,SHA256=68734E0139E0E83E65D69F5DB0C4C97E535BB95E1B30B4F8DBCE188564EF5B95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018518Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:08.806{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9027D9DE87A66498EC35CF3BB350F706,SHA256=A2391CD321C71D9EF3FCF3712BAED0B19EB1143D0F6B8992496F05CC7DA86B57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034428Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:08.434{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3AE842FE0FB70A46F5BF434ABEEAEBE,SHA256=FD9D01598CF75451C535544B4C7BD5B63A6D21BDC8F420FCE2DBA9A970FEA1C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034429Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:09.450{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=402A8C9A36322BA746E94904A9ED65EC,SHA256=9C76B597FC9D0D13E48E09EC760431FE6C240721F8E483F9732FD3461567D45D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034431Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:08.736{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52417-false10.0.1.12-8000- 23542300x800000000000000034430Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:10.450{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA60A6ADD6F00BDA998793B883F3227B,SHA256=0CAC40F6DD577074D55E50E6B76D866CC6D64E86A3EE157735A1DC07523CD673,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018519Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:10.040{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D145138C49BF59214F7BCE0186187C7,SHA256=FFC298621982BECDC4DAB839D602307148385FBE89E0644FBE4A9CC134932443,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018520Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:11.275{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97764645DB5459FCF965798E7D77CE1E,SHA256=09DFE56F219F73A7290CD292C50B7F23EA56C64D38C326DB23E3A77A4564525E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034432Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:11.466{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D13885894A65922D9F2304E31EED2AC1,SHA256=9295E7F944711514CDE8585DB9A06B92E5DCD2940FD098608494EF16F00D90C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018521Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:12.431{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8570BB6B0B9605C3296CBBB445C76648,SHA256=5A3F6487E4CB97FA4319870307F4E07FD38C04782C90D88FD05D1911AE2BD61A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034433Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:12.466{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EA0E8A933968101D4DB8E098D68A9D0,SHA256=3952BA73ECD00B1636C94D5D78D3F7CBFBA5E6972D732B9C89CDA9126403E3CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018522Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:13.525{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32599685D144DCF02AC7BD7DE16E6D63,SHA256=2DAFDD8E88B0CB720ECF23E5D392CBD42FAE8D73377AF567D279822324179FC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034435Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:13.906{6EDEAD03-FC2A-615B-3000-00000000FB01}2280NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00ade5b11017bd16f\channels\health\respondent-20211005071805-084MD5=AA6F78CCC35FD74424B933C975A9F779,SHA256=482DFC86E7C4A11E76E3E352EB64B396C84C083D9F57F37823883232EC55A225,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034434Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:13.482{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02C50EAD0F2CD15F7C08D89AB37BD6B7,SHA256=1DA70D64235AEE165D151AE7FA4F5FB2582B46350DD330EB834C5543F2FF3499,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018524Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:14.540{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42898BA1489C786ED3ABB22C6A3CA403,SHA256=BC59BEA3F22681823EC6BEAD5055D3CDB2A674889C74A6737D96C6C00BC454F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034437Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:14.920{6EDEAD03-FC2A-615B-3000-00000000FB01}2280NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00ade5b11017bd16f\channels\health\surveyor-20211005071802-085MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034436Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:14.529{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65C690F6207EF93AF7A2285DAB46BD83,SHA256=9BC88BB6DC5E00BED9ACA38624CD137486FB4EE2A93A8252CCA263B2E3AB1771,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018523Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:12.183{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50647-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000034438Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:15.669{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F7600073FD9CB44093AC10032990FB9,SHA256=9A8D6BE81094D7A40564EAEA9DB20CB4DBC0EC81776320FC99BEF49E8898E877,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018525Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:15.556{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94636C32A70C8668012740B896AD2809,SHA256=30A6D0D2657E5864889A36D391DFED7CBFE9EC846F24FD3541966C3FCBE32B58,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034440Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:14.655{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52418-false10.0.1.12-8000- 23542300x800000000000000034439Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:16.685{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0123021A66A48820E4F6D08F9C29A23,SHA256=B4303D454898619059389C068FF8222D74EE7720C86EA5B7AF2F7A3F0A56B7A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018526Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:16.572{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AF502D1A0A6C6ADAFE7FC2F226DFEB6,SHA256=CBBFE68BC5F66405D56A77606A46967FFE9C1A2B443E222681D7040E66AF8E8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018527Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:17.572{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55F586E22A2E247A4B7DBC24F4198DB5,SHA256=F1436C5038C81DE44983EE184B7CB32C0FAFDE6BB589D7F58BEC7F9F8E1E5564,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034443Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:17.873{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CDDA06F0A5ADFA1404AA7BD13864ED1C,SHA256=FE754EF253392C274115C4F2E0FA3832BF761B186AC23065634C90663B2CFEB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034442Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:17.873{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=17CD05E1DDB6F79E6486BDA4C3B21C60,SHA256=41DB7642E8AE5AF652524635BCEF1E5711D67A8D88985075E5253307D81EB784,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034441Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:17.701{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D27A9BC651623358D1B839984AF671F,SHA256=4E64B0DEAC30A74D2B27F154B90364E57A2F66292EFC2AE9647F131F1A61CB27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018528Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:18.587{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0304BA7DEB3A2FDCF2045E8A19BA87E3,SHA256=EE139372171E08F6D1530334831451A73D66C83D2F3AA33742BE5BFB430F67EF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034446Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:16.471{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local52419-true0:0:0:0:0:0:0:1win-dc-676.attackrange.local389ldap 354300x800000000000000034445Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:16.471{6EDEAD03-FC2A-615B-2900-00000000FB01}2912C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local52419-true0:0:0:0:0:0:0:1win-dc-676.attackrange.local389ldap 23542300x800000000000000034444Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:18.732{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD0DCE54250961C78EDA5080206785BF,SHA256=C51CCE51921FD1C0FD411ADF275EFA7C4BDC0A422F99483898502E3716AB33E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034447Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:19.732{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE604B8B4F1D2E484E86728480102DCF,SHA256=6AE64F7CA479BCE6AE226D2872AB63063654FA5CB8BD40CEBB63A1A3B2D91AD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018529Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:19.603{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AE15555CEF28A66C0F5C0B8281EEEDD,SHA256=7EDF62E50668C6B7F2966667ADAC97605B3B959C7B269145A7967ED7716B42FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034455Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:20.732{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3F9602A1A0BFE39CC10169FDC6A83E6,SHA256=94B783BD651D8093ECD31401CB219E2C316D466CFFD6C6FB14F9DD8981D51BCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018531Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:20.604{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87F7B1C2558299323777295A01359CAB,SHA256=C6D728111E7B61CF2BC211C47D0E73A6A668B4DA5EB57B4F77E2743F3D8D0AA9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034454Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:20.217{6EDEAD03-FF62-615B-F802-00000000FB01}50524512C:\Windows\Explorer.EXE{6EDEAD03-02EA-615C-4505-00000000FB01}1884C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034453Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:20.217{6EDEAD03-FF62-615B-F802-00000000FB01}50524512C:\Windows\Explorer.EXE{6EDEAD03-02EA-615C-4505-00000000FB01}1884C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034452Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:20.217{6EDEAD03-FF62-615B-F802-00000000FB01}50524512C:\Windows\Explorer.EXE{6EDEAD03-02EA-615C-4505-00000000FB01}1884C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034451Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:20.201{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-02EA-615C-4605-00000000FB01}3588C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034450Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:20.201{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-02EA-615C-4605-00000000FB01}3588C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034449Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:20.201{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-02EA-615C-4605-00000000FB01}3588C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034448Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:20.201{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-02EA-615C-4605-00000000FB01}3588C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000018530Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:18.184{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50648-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000018532Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:21.620{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03084B7CA23564927BC50EF3DF3C1CDD,SHA256=79F2652B67FBC47A64F8194B220B5678BF1039BF06081921749FA968209F9835,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034478Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:19.752{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52420-false10.0.1.12-8000- 23542300x800000000000000034477Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:21.749{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DDE205A27C670DD66C4DB78FE146A02,SHA256=A8D561A132F7AEE335E03826DDD18408D3C7F7DCB3E4AF34EF15BE3E516F8554,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000034476Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 08:45:21.732{6EDEAD03-10A1-615C-ED06-00000000FB01}6472C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigHashSHA256=7DAAD66D67FF6E524FEF75C4EB88B2C2F89731FC7150F799C1841B5E4A755519 13241300x800000000000000034475Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 08:45:21.732{6EDEAD03-10A1-615C-ED06-00000000FB01}6472C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigFileC:\Program Files\ansible\AttackRangeSysmon.xml 13241300x800000000000000034474Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 08:45:21.732{6EDEAD03-10A1-615C-ED06-00000000FB01}6472C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\RulesBinary Data 13241300x800000000000000034473Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 08:45:21.732{6EDEAD03-10A1-615C-ED06-00000000FB01}6472C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\DnsLookupBinary Data 13241300x800000000000000034472Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 08:45:21.732{6EDEAD03-10A1-615C-ED06-00000000FB01}6472C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\CheckRevocationBinary Data 16341600x800000000000000034471Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local2021-10-05 08:45:21.732C:\Program Files\ansible\AttackRangeSysmon.xmlSHA256=7DAAD66D67FF6E524FEF75C4EB88B2C2F89731FC7150F799C1841B5E4A755519 13241300x800000000000000034470Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 08:45:21.732{6EDEAD03-10A1-615C-ED06-00000000FB01}6472C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\HashingAlgorithmDWORD (0x8000000e) 13241300x800000000000000034469Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 08:45:21.732{6EDEAD03-10A1-615C-ED06-00000000FB01}6472C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\OptionsDWORD (0x00000007) 12241200x800000000000000034468Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-DeleteValue2021-10-05 08:45:21.732{6EDEAD03-10A1-615C-ED06-00000000FB01}6472C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\Rules 12241200x800000000000000034467Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-DeleteValue2021-10-05 08:45:21.732{6EDEAD03-10A1-615C-ED06-00000000FB01}6472C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\DnsLookup 12241200x800000000000000034466Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-DeleteValue2021-10-05 08:45:21.732{6EDEAD03-10A1-615C-ED06-00000000FB01}6472C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\CheckRevocation 12241200x800000000000000034465Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-DeleteValue2021-10-05 08:45:21.732{6EDEAD03-10A1-615C-ED06-00000000FB01}6472C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\HashingAlgorithm 12241200x800000000000000034464Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-DeleteValue2021-10-05 08:45:21.732{6EDEAD03-10A1-615C-ED06-00000000FB01}6472C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\Options 10341000x800000000000000034463Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:21.670{6EDEAD03-02EA-615C-4605-00000000FB01}35886968C:\Windows\system32\conhost.exe{6EDEAD03-10A1-615C-ED06-00000000FB01}6472C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034462Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:21.670{6EDEAD03-FF5F-615B-E202-00000000FB01}9723552C:\Windows\system32\csrss.exe{6EDEAD03-10A1-615C-ED06-00000000FB01}6472C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000034461Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:21.670{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034460Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:21.670{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034459Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:21.670{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034458Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:21.670{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034457Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:21.670{6EDEAD03-02EA-615C-4505-00000000FB01}18843628C:\Windows\system32\cmd.exe{6EDEAD03-10A1-615C-ED06-00000000FB01}6472C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000034456Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:21.679{6EDEAD03-10A1-615C-ED06-00000000FB01}6472C:\Program Files\ansible\sysmon\Sysmon64.exe13.01System activity monitorSysinternals SysmonSysinternals - www.sysinternals.com-Sysmon64.exe -c "C:\Program Files\ansible\AttackRangeSysmon.xml"C:\Program Files\ansible\sysmon\ATTACKRANGE\Administrator{6EDEAD03-FF61-615B-7756-1D0000000000}0x1d56772HighMD5=8A914CFB7496B8461285C009DD8F5627,SHA256=422EC998FED690C2EC3239A4BB80075F098A9A95CBDFFBC873365B9F7136A02A,IMPHASH=DCF866F4139DD7FF6C0A5D4FA050CD7A{6EDEAD03-02EA-615C-4505-00000000FB01}1884C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon" 23542300x800000000000000018533Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:22.635{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AB17CE10CF252AF61DFB58DACA1BEC7,SHA256=AB6A50D0925D6CCCA82CCAB75F8F3BE1EF05284210C43C21E009535EBACF1816,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034480Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:22.764{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63BD0B00152D6FFE25CAF65A1B9ABF64,SHA256=ACFEE2AB1335AED46CED8739A83248911E10686B538BF05BB4E46036AACA10BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034479Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:22.670{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CDDA06F0A5ADFA1404AA7BD13864ED1C,SHA256=FE754EF253392C274115C4F2E0FA3832BF761B186AC23065634C90663B2CFEB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034488Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:23.810{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65A353FC8B3EB4633A11FD4B88B8A56E,SHA256=0231EDA79EAFE62B4831ECDCC2ECA26B6BDE50DE9D1D6F857DB36914FDA9AD14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018534Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:23.635{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78253833BC3885CDA1D65833FE062572,SHA256=DF4168C49C78568CD2319764C06736CE185CC919A8AF299AC7EC4D26CE00BA4F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034487Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:23.607{6EDEAD03-FF62-615B-F802-00000000FB01}50524512C:\Windows\Explorer.EXE{6EDEAD03-011D-615C-0205-00000000FB01}5428C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034486Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:23.607{6EDEAD03-FF62-615B-F802-00000000FB01}50524512C:\Windows\Explorer.EXE{6EDEAD03-011D-615C-0205-00000000FB01}5428C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034485Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:23.607{6EDEAD03-FF62-615B-F802-00000000FB01}50524512C:\Windows\Explorer.EXE{6EDEAD03-011D-615C-0205-00000000FB01}5428C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034484Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:23.592{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-011D-615C-0305-00000000FB01}5740C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034483Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:23.592{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-011D-615C-0305-00000000FB01}5740C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034482Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:23.592{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-011D-615C-0305-00000000FB01}5740C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034481Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:23.592{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-011D-615C-0305-00000000FB01}5740C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000034489Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:24.826{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5D8798FF050D55E7B18A395D033F129,SHA256=F4C116104A2F1552E3D1ABC6EB2D4DB712156D31C4FF6FA33B1F36B0E783D5A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018535Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:24.651{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80464E756D4E7D8CC587F9A97BA492E4,SHA256=8BFD8A3973150EE25572D1410BF1C6BCD45AA7009B8A1691440FB03F36C5C1F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018537Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:25.667{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4497A6492158D682B6BE93FD8D5EB78A,SHA256=41AE4C19BC0303BA238CF783035346DB0ECC41204DC299D28F489D6FD218EF19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034498Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:25.842{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07D4E8A3B0D2CC2F3C088449CE4CA2FC,SHA256=C2FB492B7A68F74B239222C87D64E5171500EC5B21BEA21A1AEA0DA797D03EC0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034497Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:25.623{6EDEAD03-011D-615C-0305-00000000FB01}57405284C:\Windows\system32\conhost.exe{6EDEAD03-10A5-615C-EE06-00000000FB01}4796C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034496Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:25.623{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034495Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:25.623{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034494Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:25.623{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034493Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:25.623{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034492Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:25.623{6EDEAD03-FF5F-615B-E202-00000000FB01}9724272C:\Windows\system32\csrss.exe{6EDEAD03-10A5-615C-EE06-00000000FB01}4796C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000034491Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:25.623{6EDEAD03-011D-615C-0205-00000000FB01}54284716C:\Windows\system32\cmd.exe{6EDEAD03-10A5-615C-EE06-00000000FB01}4796C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000034490Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:25.628{6EDEAD03-10A5-615C-EE06-00000000FB01}4796C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add HKLM\SYSTEM\CurrentControlSet\Control\MiniNtC:\Users\Administrator\ATTACKRANGE\Administrator{6EDEAD03-FF61-615B-7756-1D0000000000}0x1d56772HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{6EDEAD03-011D-615C-0205-00000000FB01}5428C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 354300x800000000000000018536Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:24.122{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50649-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000018538Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:26.667{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31159E0BB8E956B203999DC650B01351,SHA256=625FF4942BCA80BC5CD9387B241D387438CF17F89BC06955F58B575C4299A3BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034500Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:26.842{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1806113FF32A7A44A99BCDAF5A6EE6D4,SHA256=4372EBD4232BC3F4226AC90FD6B4BFDAA2C3D5F0C5CA2CA451290C1DBDC79F45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034499Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:26.654{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6DE8330B69874AD70745971599C18046,SHA256=A69C07F58CC6673355003A69BD14EEFAA2A624FDAE22B3B7320CA4E953D79762,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034501Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:27.857{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=912F9058673136AD9E4F9B8D10BE58F0,SHA256=53E69FD5CFD193C0C8F32F1A3EA8DFE4C07D08055CE097C8E8EB5FDFFD95DD63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018539Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:27.667{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3CBEC21BD22134A98FF41FF383E2D51,SHA256=9EEDC3D10496F52AE3BE5C305585A433BE7EEBD1DB041936C1A888C047A15016,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034503Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:28.873{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=749549DE4603EEF808A17B1261604580,SHA256=30148E83D8E9E6BFF9DC1B571FA8B5141DB36D750B9FF3D87DEAC98CCE040EAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018540Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:28.682{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3661682BA04427990D4662B2B4C7B0D2,SHA256=FBCF54972B28BEAFD1A8C62A6D5552C08D1EDFDCD631C346E1EF3CF366DF732D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034502Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:25.752{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52421-false10.0.1.12-8000- 23542300x800000000000000018541Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:29.682{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CFB66731A524191A17AEC4E5AAA6C70,SHA256=03FC7185BC48F6AA8073FE4517A921EE79C91775B4A3C5B60AA0B8A8ED93A23C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034504Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:29.873{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABF5163307B5BD56EBF56B708E732ABF,SHA256=E0056B655286FBCDB10033FDA557716D28D506FC73231ACECD138ED85E3FBEE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018542Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:30.698{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C71407828889F76D63E80F0B3A97A42C,SHA256=E25F27253287286140A6F937C486C23B038FBCEBA082FC1E832C064691C11156,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034505Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:30.889{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAC70BC040FD29AFE4E8D808C01BDDC8,SHA256=7C0F728FBD873F670F6E5BACFB2EBBF9B396BCE3A8CE7897B4B0196BEED4BCB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034506Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:31.935{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AD1797848AA77290426E8957C6B436C,SHA256=3E77CC79939BF8C971AAADDF17991E03361CB3D9F6CEB4118E7B0A72BAF14C1B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018544Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:29.263{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50650-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000018543Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:31.713{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=081D5548E3A1A62F3FC15C71EB16757C,SHA256=16144AFED879349528E4AFCA7A256C06AC549339F0A387B56DEBBCEFEF604979,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018547Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:32.716{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7BB431576F028DA3DFCA4713D2DA698,SHA256=30361DA46542BDC9C103708A989A3C505C2BF47900F7D7111C5655E97B5A18A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018546Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:32.606{49C67628-FDEB-615B-1100-00000000FC01}964NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=157FDFFDA4A3662C926550E0EBE0DDFC,SHA256=96979C8D34955B7839A759EC161ECCE7ED0E29332663E67B2EC5369E0355BF19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018545Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:32.515{49C67628-FDEC-615B-1F00-00000000FC01}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04b3958ebc31dc11b\channels\health\respondent-20211005072534-077MD5=9DBD3CF651CAD1963D7DD9E70795396E,SHA256=D00FE5240C0E39CC33FD8ADFFDA13197E8833401D0A3D05F731F6A79B8E00229,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018549Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:33.730{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78014697A286C54FA263C911A8E37BBA,SHA256=87EA21FF06E3235ABB4441ED44E6B10E62EDADF615100D5A215161133D30E085,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034508Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:30.830{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52422-false10.0.1.12-8000- 23542300x800000000000000034507Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:33.013{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36981F03523475BC78442514220ECE18,SHA256=08644A7EB6645B11142A33212DE7AB16263BC72240DC172444FC3AC0BB79E4B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018548Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:33.528{49C67628-FDEC-615B-1F00-00000000FC01}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04b3958ebc31dc11b\channels\health\surveyor-20211005072532-078MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018550Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:34.733{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60C79499DB06BE691D16319C8E028992,SHA256=C202B0BB1BDCA69E9965B85DCE913F8163768399C1B1C6F68DED2B68F4231D02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034509Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:34.045{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AA48220F6EC85DC693615977BE0B7CF,SHA256=2FD1F26FAC32EE25FF963B5F12FBE098C1C6CBB4019849F7128EE13551C780C8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018552Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:34.297{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50651-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000018551Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:35.749{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68E00653F390B954420044C5268F3663,SHA256=58569F71450D3EFF4462B6436A11C5C36805FB7F72060C9A299939E07B985506,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034510Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:35.060{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BE9AA6446D4978DF606F49DBD12D0AA,SHA256=70291335CBADB394BED5789FF92B00016354DF00D6A83538003C3E2548CF2956,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018553Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:36.749{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50439C6E2DA79A2E089E2D12E1DF866D,SHA256=F411DCB442614E3FA31CF4DF10A8E92D022388C29DECF5DEAE3F706C8C32A6F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034511Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:36.217{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DEDFC7A60A4A4609A3AB8D5943CFAD9,SHA256=781012D3587F9B5654D7488C86DE4EDAA48DE1B18C71CABE49363392E959B9B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018554Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:37.765{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33D7904C04AA5E32B349B79A140FB02D,SHA256=49E13B9A0D2C8041F8554196FD2E464DEC22FC4A20600453FF6262232CE5FFD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034512Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:37.248{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6854B7A7059EDC703D25B79B64A84D67,SHA256=531B34BB15D2E4E8C82D7AF6FB3CA3C77A76766729B65905D574B9D4A3CCDBB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018555Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:38.765{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A2737A598BE2B5F337E8C356535E7BA,SHA256=BFE8488CDB3BB3B3D02A571B3EA15EC28C6E5B073B4FAFC16E35D6E57C5683AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034513Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:38.310{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59855F69C067C537957370423A915066,SHA256=E0EAEA981D202CAEA7E8212A5B1E53F9CC8D82A92495F5E148C94EF7FF237F2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018556Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:39.780{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=075F9733D1FFBD71162302273F81AC42,SHA256=F9D7E51A851B77AF3AAFB43A0BD53FECCF6145A8A094B81646F4F89DEA6D2AA1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034524Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:39.670{6EDEAD03-10B3-615C-EF06-00000000FB01}12682144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034523Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:39.482{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-10B3-615C-EF06-00000000FB01}1268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034522Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:39.482{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034521Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:39.482{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034520Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:39.482{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034519Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:39.482{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034518Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:39.482{6EDEAD03-FC1A-615B-0500-00000000FB01}412428C:\Windows\system32\csrss.exe{6EDEAD03-10B3-615C-EF06-00000000FB01}1268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000034517Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:39.482{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-10B3-615C-EF06-00000000FB01}1268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000034516Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:39.483{6EDEAD03-10B3-615C-EF06-00000000FB01}1268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034515Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:39.326{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C26A7D425422D8B4C7D5FE7660B9DA8,SHA256=963D903A4CE26F734E63E3CCB884C3979D7C4139F772403580D3051D03B37D19,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034514Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:36.752{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52423-false10.0.1.12-8000- 23542300x800000000000000018557Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:40.791{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1FD3EB3F13F896FFF7F32B0CF87C67B,SHA256=477A213814C0B8DB43854904C30D470DB74DACA37690DB29B435AB7117E8FFAF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034544Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:40.669{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-10B4-615C-F106-00000000FB01}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034543Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:40.669{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034542Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:40.669{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034541Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:40.669{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034540Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:40.669{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034539Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:40.669{6EDEAD03-FC1A-615B-0500-00000000FB01}412528C:\Windows\system32\csrss.exe{6EDEAD03-10B4-615C-F106-00000000FB01}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000034538Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:40.669{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-10B4-615C-F106-00000000FB01}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000034537Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:40.671{6EDEAD03-10B4-615C-F106-00000000FB01}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034536Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:40.513{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=387957F37923915ECD354EE223BCAA45,SHA256=8DFF67246A028898260365AACFD12EB55C13CA73DD64D72092EDD5E10222F7F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034535Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:40.513{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE5D7F7EE66F6DE6BE9F5917CDA63D69,SHA256=8553BD50BCB05DE0D24BAAF2538D9DCEDDB2D420F6AB923397444034D2B9DBD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034534Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:40.341{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FD65268ACF475537BCCCC97A11F9CFA,SHA256=92C8E2DBDF7004DCD1E2C9315FC0C628B5431C5C64A8B6568A1CA1540FC1C881,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034533Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:40.154{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-10B4-615C-F006-00000000FB01}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034532Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:40.154{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034531Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:40.154{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034530Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:40.154{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034529Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:40.154{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034528Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:40.154{6EDEAD03-FC1A-615B-0500-00000000FB01}412528C:\Windows\system32\csrss.exe{6EDEAD03-10B4-615C-F006-00000000FB01}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000034527Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:40.154{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-10B4-615C-F006-00000000FB01}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000034526Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:40.154{6EDEAD03-10B4-615C-F006-00000000FB01}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034525Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:40.091{6EDEAD03-FCBF-615B-AF00-00000000FB01}416NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=77A3FAE6E3D081057742F67BE17D48F0,SHA256=B45196262D41012541FDA928C2D6D89C531ACA10A8054FE8E2047913CDE27561,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018558Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:41.822{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4582F24975A1E273D1D1B98A0EC9E10C,SHA256=BE712F9549DEED728E7443B2D95A1B1998FD0BD0B8CDEEBDB4085400D3AE440D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034546Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:41.716{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=387957F37923915ECD354EE223BCAA45,SHA256=8DFF67246A028898260365AACFD12EB55C13CA73DD64D72092EDD5E10222F7F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034545Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:41.450{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=943A4BFD35F40901D7D63310AB6E6962,SHA256=2AE76855A9AC8FAABB107D1D3908178388D55E0AAA930FE5A801EA3A995DBDC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018560Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:42.963{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B205D184F4A0B1D56A1433374BE9385,SHA256=5C3DF7D706645DBD417F3FD69B121FAC7CFF1039B4724C539FA60484796ABE01,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034565Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:42.950{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-10B6-615C-F306-00000000FB01}6428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034564Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:42.950{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034563Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:42.950{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034562Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:42.950{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034561Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:42.950{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034560Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:42.950{6EDEAD03-FC1A-615B-0500-00000000FB01}4122304C:\Windows\system32\csrss.exe{6EDEAD03-10B6-615C-F306-00000000FB01}6428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000034559Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:42.950{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-10B6-615C-F306-00000000FB01}6428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000034558Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:42.952{6EDEAD03-10B6-615C-F306-00000000FB01}6428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000034557Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:42.560{6EDEAD03-10B6-615C-F206-00000000FB01}18886976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000034556Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:42.466{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DCF52140C7F5E3B1C290ED74D017512,SHA256=A023C3D2373BD88EA571A8F4EC41BF981A8D35C24371ED0C530AED913A1031C6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018559Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:40.325{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50652-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000034555Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:42.388{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-10B6-615C-F206-00000000FB01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034554Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:42.388{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034553Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:42.388{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034552Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:42.388{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034551Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:42.388{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034550Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:42.388{6EDEAD03-FC1A-615B-0500-00000000FB01}412528C:\Windows\system32\csrss.exe{6EDEAD03-10B6-615C-F206-00000000FB01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000034549Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:42.388{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-10B6-615C-F206-00000000FB01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000034548Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:42.389{6EDEAD03-10B6-615C-F206-00000000FB01}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000034547Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:39.674{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52424-false10.0.1.12-8089- 10341000x800000000000000034585Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:43.732{6EDEAD03-10B7-615C-F506-00000000FB01}26925192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034584Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:43.575{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-10B7-615C-F506-00000000FB01}2692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034583Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:43.575{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034582Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:43.575{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034581Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:43.575{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034580Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:43.575{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034579Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:43.575{6EDEAD03-FC1A-615B-0500-00000000FB01}4122304C:\Windows\system32\csrss.exe{6EDEAD03-10B7-615C-F506-00000000FB01}2692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000034578Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:43.575{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-10B7-615C-F506-00000000FB01}2692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000034577Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:43.577{6EDEAD03-10B7-615C-F506-00000000FB01}2692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034576Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:43.497{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73DD63F27FB531F063D1C6E57C3D2FA3,SHA256=E74B1EE32129A529BECE1D56231E63DF1234063C310381D481570A1ABE79285F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018573Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:43.885{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-10B7-615C-0803-00000000FC01}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018572Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:43.885{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018571Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:43.885{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018570Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:43.885{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018569Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:43.885{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018568Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:43.885{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018567Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:43.885{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018566Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:43.885{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018565Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:43.885{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018564Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:43.885{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018563Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:43.885{49C67628-FDEB-615B-0500-00000000FC01}4161032C:\Windows\system32\csrss.exe{49C67628-10B7-615C-0803-00000000FC01}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018562Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:43.885{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-10B7-615C-0803-00000000FC01}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000018561Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:43.885{49C67628-10B7-615C-0803-00000000FC01}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034575Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:43.435{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6EC13E169F92C0732FF5869406CF2330,SHA256=C49926EF070238247546245F868247FE4CDE073D5CFB897B82AD2732BD6ACDFD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034574Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:43.372{6EDEAD03-011D-615C-0305-00000000FB01}57405284C:\Windows\system32\conhost.exe{6EDEAD03-10B7-615C-F406-00000000FB01}4044C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034573Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:43.372{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034572Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:43.372{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034571Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:43.372{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034570Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:43.372{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034569Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:43.372{6EDEAD03-FF5F-615B-E202-00000000FB01}9724272C:\Windows\system32\csrss.exe{6EDEAD03-10B7-615C-F406-00000000FB01}4044C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000034568Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:43.372{6EDEAD03-011D-615C-0205-00000000FB01}54284716C:\Windows\system32\cmd.exe{6EDEAD03-10B7-615C-F406-00000000FB01}4044C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000034567Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:43.375{6EDEAD03-10B7-615C-F406-00000000FB01}4044C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add HKLM\SYSTEM\ControlSet001\Control\MiniNtC:\Users\Administrator\ATTACKRANGE\Administrator{6EDEAD03-FF61-615B-7756-1D0000000000}0x1d56772HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{6EDEAD03-011D-615C-0205-00000000FB01}5428C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 10341000x800000000000000034566Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:43.122{6EDEAD03-10B6-615C-F306-00000000FB01}64286916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000034596Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:44.763{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB6661C03A325CD38D502C44C1B31067,SHA256=34D1952C0F264D44A46965B2199CD56CBDE354BA3B80BD8AA167726DC4E7EA2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034595Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:44.622{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF625E7C8B74BB688642BEB8011C7CFF,SHA256=21CD8B2FCBC2FDE4D53D7B79C667BC5B087DC62EA1194D6D63A78237AFAC72CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018590Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:44.900{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=57F94AFDA83514BA858DF85C666B661C,SHA256=4B7390761C39B2FB18CCD6BF64B4F0F91FFD624BA9846FCC91D9219F2D7DBDDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018589Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:44.900{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A4D5EED6D8B921BE4FC79E9362696D3E,SHA256=293AC0907CE9E58BACAD7C3AD526AB490A8020DE87974B81B92EF8F155514631,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018588Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:44.385{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-10B8-615C-0903-00000000FC01}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018587Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:44.385{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018586Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:44.385{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018585Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:44.385{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018584Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:44.385{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018583Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:44.385{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018582Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:44.385{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018581Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:44.385{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018580Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:44.385{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018579Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:44.385{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018578Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:44.385{49C67628-FDEB-615B-0500-00000000FC01}416532C:\Windows\system32\csrss.exe{49C67628-10B8-615C-0903-00000000FC01}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018577Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:44.385{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-10B8-615C-0903-00000000FC01}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000018576Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:44.385{49C67628-10B8-615C-0903-00000000FC01}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018575Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:44.119{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=578353F33B46BCD50A4DB3A417AE2FBC,SHA256=8D98C7B8BC10790D995BF8D263EBE1C258DFC65EBDA104FA04A41B5C711564C7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034594Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:44.154{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-10B8-615C-F606-00000000FB01}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034593Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:44.154{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034592Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:44.154{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034591Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:44.154{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034590Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:44.154{6EDEAD03-FC1D-615B-0C00-00000000FB01}8484668C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034589Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:44.154{6EDEAD03-FC1A-615B-0500-00000000FB01}412528C:\Windows\system32\csrss.exe{6EDEAD03-10B8-615C-F606-00000000FB01}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000034588Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:44.154{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-10B8-615C-F606-00000000FB01}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000034587Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:44.154{6EDEAD03-10B8-615C-F606-00000000FB01}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000034586Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:41.814{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52425-false10.0.1.12-8000- 10341000x800000000000000018574Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:44.057{49C67628-10B7-615C-0803-00000000FC01}38043560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000034597Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:45.638{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95AFFED6AE02E2B27A52217950E194A0,SHA256=E543A49A75D4BBB38F1362A6119A9A7524DAAB1211B08F382679A020C34105C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018604Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:45.385{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46415E96E7E1280B6CC532673D1F890A,SHA256=027098843A0D80384DF4A1D910BCD67B3ED5A111BBAEE49E3D3A3F2589194A06,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018603Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:45.057{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-10B9-615C-0A03-00000000FC01}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018602Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:45.057{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018601Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:45.057{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018600Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:45.057{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018599Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:45.057{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018598Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:45.057{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018597Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:45.057{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018596Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:45.057{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018595Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:45.057{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018594Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:45.057{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018593Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:45.057{49C67628-FDEB-615B-0500-00000000FC01}416432C:\Windows\system32\csrss.exe{49C67628-10B9-615C-0A03-00000000FC01}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018592Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:45.057{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-10B9-615C-0A03-00000000FC01}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000018591Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:45.057{49C67628-10B9-615C-0A03-00000000FC01}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018620Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:46.432{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70A5DD308800B497E9657BD164836037,SHA256=221D45BF00FF5496EA0A9E0C92D0E772C653CA5224AEA40B461D1A0887263ED9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034598Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:46.654{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=793A597041198341BA69E7FEC32539E2,SHA256=B128D1ED114C93AA1DD2AB94A6D38E70C63AFD0DE40527F5E2C6801F5F206129,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018619Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:46.307{49C67628-10BA-615C-0B03-00000000FC01}12882504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018618Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:46.197{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=57F94AFDA83514BA858DF85C666B661C,SHA256=4B7390761C39B2FB18CCD6BF64B4F0F91FFD624BA9846FCC91D9219F2D7DBDDB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018617Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:46.135{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-10BA-615C-0B03-00000000FC01}1288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018616Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:46.135{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018615Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:46.135{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018614Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:46.135{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018613Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:46.135{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018612Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:46.135{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018611Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:46.135{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018610Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:46.135{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018609Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:46.135{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018608Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:46.135{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018607Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:46.135{49C67628-FDEB-615B-0500-00000000FC01}416532C:\Windows\system32\csrss.exe{49C67628-10BA-615C-0B03-00000000FC01}1288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018606Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:46.135{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-10BA-615C-0B03-00000000FC01}1288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000018605Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:46.135{49C67628-10BA-615C-0B03-00000000FC01}1288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018634Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:47.932{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-10BB-615C-0C03-00000000FC01}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018633Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:47.932{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018632Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:47.932{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018631Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:47.932{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018630Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:47.932{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018629Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:47.932{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018628Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:47.932{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018627Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:47.932{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018626Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:47.932{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018625Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:47.932{49C67628-FDEB-615B-0500-00000000FC01}416432C:\Windows\system32\csrss.exe{49C67628-10BB-615C-0C03-00000000FC01}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018624Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:47.932{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018623Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:47.932{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-10BB-615C-0C03-00000000FC01}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000018622Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:47.932{49C67628-10BB-615C-0C03-00000000FC01}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018621Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:47.650{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00EA02E07D10BCA0829901CF1028FADF,SHA256=AB05EF69612A42AA988C4D77B48BDF55040D50A8BD6CEFF17AC95400AD56E404,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034599Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:47.669{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2267D02E6A9A0DB4C9EBFAC0F840BBAD,SHA256=F16EDD833650AF96B7DE155C39DBDCC77AE838C85E4B245ADEBF1E989DC0BCDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034600Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:48.685{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E5A9D03377E58DB55EB723F050D2A73,SHA256=B1A66D2BE70453CF76A1C6D32C0E42C74DFF782A1075950A0C62FBA11FF3E2C1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018651Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:48.760{49C67628-10BC-615C-0D03-00000000FC01}35323744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018650Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:48.603{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-10BC-615C-0D03-00000000FC01}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018649Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:48.603{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018648Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:48.603{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018647Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:48.603{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018646Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:48.603{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018645Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:48.603{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018644Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:48.603{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018643Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:48.603{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018642Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:48.603{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018641Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:48.603{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018640Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:48.603{49C67628-FDEB-615B-0500-00000000FC01}416532C:\Windows\system32\csrss.exe{49C67628-10BC-615C-0D03-00000000FC01}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018639Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:48.603{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-10BC-615C-0D03-00000000FC01}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000018638Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:48.604{49C67628-10BC-615C-0D03-00000000FC01}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018637Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:48.369{49C67628-FE68-615B-9F00-00000000FC01}1772NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=77A3FAE6E3D081057742F67BE17D48F0,SHA256=B45196262D41012541FDA928C2D6D89C531ACA10A8054FE8E2047913CDE27561,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018636Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:48.072{49C67628-10BB-615C-0C03-00000000FC01}2122316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000018635Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:46.278{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50653-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000034601Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:49.700{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA5C13B635494763ABB2AD62FE405ECE,SHA256=0922C350F3664BEB32E3FF2E421F048B2FA3D9C6A4C9A2BCDA8348BAF55148D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018666Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:49.322{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CE5CAD19408EA627990A7A394DBC329,SHA256=DB4712D023C1AA2E84F4298EA7B1DF581CC5E5A41E0C4507E2E00319214F9FE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018665Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:49.322{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5DF45A15053FE29EAF456158373D4C84,SHA256=A9ADE588572239C5FA159470F9961D2E54D9316EFE804373A52E7B172EF2AFAD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018664Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:49.275{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-10BD-615C-0E03-00000000FC01}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018663Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:49.275{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018662Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:49.275{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018661Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:49.275{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018660Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:49.275{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018659Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:49.275{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018658Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:49.275{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018657Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:49.275{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018656Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:49.275{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018655Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:49.275{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018654Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:49.275{49C67628-FDEB-615B-0500-00000000FC01}4161032C:\Windows\system32\csrss.exe{49C67628-10BD-615C-0E03-00000000FC01}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018653Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:49.275{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-10BD-615C-0E03-00000000FC01}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000018652Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:49.276{49C67628-10BD-615C-0E03-00000000FC01}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034604Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:50.857{6EDEAD03-FC1D-615B-1200-00000000FB01}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=902D35138B5907674756BAFC9210FA11,SHA256=0BDF775BD4CCB9904B346E38554B0048717CCFADB7ED3A827A923B52E601715C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034603Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:50.716{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C709DC5D6FF1BCFBBB77865507E16AA,SHA256=B61D20564F8F1B45F7C446B0DB8AD430FE390F2EA38890ABBC480A3DEF7348BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018669Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:50.322{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5BFC60E7C88CFAEFBB028BE418464E1D,SHA256=1F80F47B04AE7E8994A56122B05D4159A8EA1B20FB0FFB28ED29C0BC84E6964D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018668Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:50.307{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACC8290F6489F98149161AC3941B0416,SHA256=B835555FD8606D774A384373B4593A6BB40B0C28D03B75FCC133BF2834E36D9F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034602Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:47.799{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52426-false10.0.1.12-8000- 354300x800000000000000018667Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:48.418{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50654-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000034605Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:51.732{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C090BEA8670629B25B10C1A535BFFF6,SHA256=F9E2E83A529F0ABDCDE4D694661924EE3C6E836DAF7F426A849CCF07ED20477E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018670Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:51.400{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC9B14CE18A3B706B23E4E4BAD372127,SHA256=6851017A64859D23E9E0EB8DFD3EDB38081C6AA0C10A974EC3DC789B643BB55B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034606Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:52.763{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE5782DF599055DDBD89A5F0ABA40422,SHA256=1CD7A8D065F5163A19F0E03D41A28C097FC9C6FDD1F006C543C424769187CD6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018671Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:52.603{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C86EFCF7F97A48BF1DAE62724593F3D3,SHA256=2F7596487288112D5C473612D854660CF920F7B99599835641318DA538C3161A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034607Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:53.779{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE22E87936E43D73FD90CABA866CD850,SHA256=D251439E828C98860DA5186774F480CF57008403206996EED509C92FFFD253A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018672Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:53.760{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D28E4646815339DB13DA6758802E743E,SHA256=18E1133BDE838B0EAB5464C21FCC8BA226FD606DB25210494178BB2C3DED6B97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034608Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:54.841{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C646FF48D58EEAE7CB3C3CA8ECD507D,SHA256=3DDC498BFDF5829565182C87ACA45454C2C0EA15D62BFF0B76B47F1390EED319,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018674Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:54.885{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8415FE92F4C4373CCC6D2350DF8C54C,SHA256=53239E634FB775F86755BDB4CFCA798761572146C9AD990DC4040132E8E55167,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018673Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:52.246{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50655-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000018675Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:55.916{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EF619D74433BB4A90C15EC53E5197B8,SHA256=5EBCEDCAC19C71A01EB68E47FDEDDDF8576F5B6D139DAB196B8BD2E20D7EE857,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034610Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:55.857{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB9A6906987F2DB5F0924DBE1FF94238,SHA256=F80C9EFF52E3B7AAAF7DD4A46132D2271BA4FA85E0C1B2616F97B60C2557B0BE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034609Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:52.861{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52427-false10.0.1.12-8000- 23542300x800000000000000018676Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:56.963{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2C8D17315F5C3B2F77E926871A8EA31,SHA256=10298AD7D940E7319CFAAFB6EF86D48D84060625D1EB88DB63E7AA58D81BB1C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034611Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:56.872{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C63BEB6705FF3D83017A4339F8B9B321,SHA256=0EDCDFF5D0B14406296D42F770E3F0DB0D6F721BAF29CB9A8883C7C22FD488C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034612Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:57.919{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FDB280DC98380E8EAEF879F21DC6E96,SHA256=38F9C57856273A7ED70DD24AB14377110C45BAD12E3C33851BE081D7810B3DF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018677Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:58.197{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26555A58E375CBEE665A78270648079A,SHA256=33E57162B03841DECD4233F50FB8636BD2C4A2C28F699B4A4D9337547788E128,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018679Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:59.431{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BEBB0BA2172B974569AAFEB33434B63,SHA256=CE169FC704A89956FB8D0A5E3AE96BAEC9CD1E834120F67EEA1E9B85D63BDF96,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018678Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:45:58.106{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50656-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000034613Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:58.997{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=392AE9E180994353D4F6BB6034A85F84,SHA256=588F00DF743CEB7BD8A2593880087C68CD0C3758A80DABA043C2722A3770909F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018680Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:00.628{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDB7A8C84C5CEAB800C590EAE6CADA7E,SHA256=611385A2A6A92194CBEAA225BD066C7D604CE04AC69AB57F706223A01634BD6B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034615Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:45:58.675{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52428-false10.0.1.12-8000- 23542300x800000000000000034614Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:00.225{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCA9BF432425396EA495E5A6BC6B1CE7,SHA256=42E20D0FA03BF3D3EA8C21E915B45BD25856A7B93E1287479683729ECD781469,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018681Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:01.722{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C495B02EC029513F7BA2707F88E9CB9,SHA256=317255E534DF4CCD315BAC6E659AA1295F12E9AD5C4E7F0AC5E36C77F68E7504,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034616Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:01.288{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BFC9E4020D5B1BFD0F08CA907E9B5B1,SHA256=30898802A41C17516C10DE48AF532F0034EA825D50868F8677F24AAC795A611B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018682Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:02.784{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E3283795F2A09305FC246EEC68122DC,SHA256=9AB9E46E9565B54D8ADB1DB0F9A61D7588670DC1CE996DF33552E96339F0698C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034617Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:02.303{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F28B9FBE9556F9C3979A73747EB31CDD,SHA256=D7591FBA508D68F299E00FDD462CED95515317989F5E1E3ADE638311096E3A85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018683Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:03.831{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ACE52486ED9F1CFFE337C1732B0A22D,SHA256=1D15C7BDF43B58AC9C8FA14010735CF0A8C288DF7C92B0BDFA0DD734FE2BDA10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034618Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:03.334{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1270AC2D6304EAF5D2A30470717CD8E3,SHA256=C1D18177719957E030BA5DB753E4E6EC01770AA04AE71CEBC2BE2266CF42C23D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018684Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:04.956{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EB0B4946606A521AD3A32CF84E6D564,SHA256=9A923441051F825989AE69AF25FFC7CF7C5F47160FC8F5F8D8B0E3668BB62E2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034619Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:04.444{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=889A56DC34086F9D879E1F18C3AAB09F,SHA256=486E055E507149FB9571048E43EF0E771748E348FAB2984C175789588A39009A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034627Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:05.928{6EDEAD03-FF62-615B-F802-00000000FB01}50525756C:\Windows\Explorer.EXE{6EDEAD03-0272-615C-3205-00000000FB01}5632C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034626Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:05.928{6EDEAD03-FF62-615B-F802-00000000FB01}50525756C:\Windows\Explorer.EXE{6EDEAD03-0272-615C-3205-00000000FB01}5632C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034625Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:05.928{6EDEAD03-FF62-615B-F802-00000000FB01}50525756C:\Windows\Explorer.EXE{6EDEAD03-0272-615C-3205-00000000FB01}5632C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034624Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:05.913{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-0272-615C-3205-00000000FB01}5632C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034623Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:05.913{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-0272-615C-3205-00000000FB01}5632C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034622Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:05.913{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-0272-615C-3205-00000000FB01}5632C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034621Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:05.913{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-0272-615C-3205-00000000FB01}5632C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000034620Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:05.475{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8ED4CE16354E6B8C11D1E3898E264DD9,SHA256=BC3FA5D53F516D1954F957F4BFB17CC176B40AD8D9F26C963E8EDB5265C7820B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018685Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:04.131{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50657-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000034629Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:04.651{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52429-false10.0.1.12-8000- 23542300x800000000000000034628Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:06.553{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FB16E064B37AF1C3D76E5810267A6F4,SHA256=57EF7373FE14C22462C9D5A512C79A713FA9A741AB564CE570B4604E1EAA0F71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018686Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:06.003{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD866A433D10D749BFC12290A5D826B8,SHA256=05221E1A52F1440D801FDC632B62DAE8394D8E8C65C19DDD531DFC0F92F513FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034630Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:07.569{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9130E9F52BD762DF39ABFF832562D944,SHA256=62E3E540F255082AB08E3B294454B8C21159FF504B68A4A011C568BCBF8E03C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018687Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:07.003{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11439D6CDADF29F5EE6F03D4C3D30586,SHA256=ED770838FA55BB83D1EAFF180A87D01618A64F095D6151551B87EB25FDA61195,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034631Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:08.569{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C135A8CDC721849F203CF58C107A38EC,SHA256=103CC47D27C3A681887C926091AC9217E57278A444EA96A7D261DEE0EE8642CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018688Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:08.003{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3467FD418EA3917EE8C9FE05389B573,SHA256=581CF403439621754CC40EA600DE5E5DB869E31165DE37CAEA78A0FF0D881B65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034632Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:09.694{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F50D4CA9AA612D7B9B5437B1821B85E7,SHA256=24D9572F1F0757D84023FD867D11A9025091E4BC90D502054A2F5CB5695237E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018689Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:09.019{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB5187876D92639353391927854C1350,SHA256=4725B0BB6DFA694792321F43B98B47890BF2DB4815439E2BB296C1973A08AB22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034633Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:10.709{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B204249C118B406FFE6B6E0F57EA106,SHA256=BDCE7DEB0430CA38A2310F2CFF10B703AE6AFE92E1D28A7CAEABBC9A16EB497A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018690Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:10.034{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA6FCFC7C602563B1720CAC54DE3FEB6,SHA256=71588DE2E91079884083B3B2E6196A425206559EB78C6FB510BACFA15BCB12CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034634Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:11.709{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1480E8693D5432E58D0D9835EFC7E0DE,SHA256=4F0C16C4234005C820275BC1524034032688C704134A4361D02EF771AC7DCAE9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018692Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:10.116{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50658-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000018691Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:11.050{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=723BA6AB11168785068FC18466F003DB,SHA256=839D11A37C473C5919924D12849EB1C3CB21CF470761132B705277D8AA50CA8A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034636Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:09.808{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52430-false10.0.1.12-8000- 23542300x800000000000000034635Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:12.709{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DB85B25B43D126F9D36EFBB65B50768,SHA256=29F60F057801A67D1ABEFE8DDBB324466A8FB12028A6933F3A6518DF869631F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018693Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:12.050{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90DB062329A9CD0B7701CB66FCAEC5C9,SHA256=393E826B30274D6CCD09B9D1B4814B7A76C50148DCD4F421FBD87743FF57EFAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034637Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:13.725{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1CA7D9AF4D6C01CC45FA9CE3BD3DF2C,SHA256=FB5D6CF122AAA756EE92A231523EC18CED289FB4ABB10297F400A829857B8360,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018694Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:13.066{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=209D48192E4562F46AFD3CB83EFC0469,SHA256=65DD8AD46EA35A3200A8DC36B13E0D96E62ED1764CAECD47F2BF3EF58DBD42D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034638Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:14.725{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BAAD7C51FBAFA8486D7549B8AECCC09,SHA256=34DBEB8F2B40333F1E703A99E21BF6653FA75A0F9E0FAF1CC0622821ADCB9DB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018695Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:14.081{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CB43BD3BE149DFFFAE1531C5AD1EF4D,SHA256=93E3E47B123EDE88994F6B0D5377B31F36CB749EADD7FBB5CB0C41955C4C713D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034640Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:15.731{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96D08BCEB5CE2216EA6ACC3EE1E8054D,SHA256=4035F39CAA9C2C036FB730111653D006A85DF7F8843BB96C162A4EB17A9D8C62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018696Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:15.081{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E4BF38F3A5F7340E1DFB21012EC5A6B,SHA256=090A21B001107D9C90338FC242EA7DC4940650ED353941F21E5118A9CB71BBB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034639Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:15.450{6EDEAD03-FC2A-615B-3000-00000000FB01}2280NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00ade5b11017bd16f\channels\health\respondent-20211005071805-085MD5=AA6F78CCC35FD74424B933C975A9F779,SHA256=482DFC86E7C4A11E76E3E352EB64B396C84C083D9F57F37823883232EC55A225,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034642Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:16.745{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A687D482EE25F8B46F55CA9F9230196E,SHA256=C317FCF10F339449D4C5C1F3E3297C8586A32F0BB436F0BEC5B0E84155BE706C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018697Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:16.097{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D8A4935A4E4C8C600651740A577D37D,SHA256=C6786F3C05CE5C3A2DEB519373895B3C3D8544BC64F3AA792108AD9E62121EB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034641Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:16.451{6EDEAD03-FC2A-615B-3000-00000000FB01}2280NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-00ade5b11017bd16f\channels\health\surveyor-20211005071802-086MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034645Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:17.936{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=575390496B7D0AF947895EE1F465DFA6,SHA256=964FDEEFB18B79E01FF3FF2B97E2D6244D25D5C5A180BDBE566E0626F45B655A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034644Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:17.936{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6C6B7396596928105E920E9F2777C900,SHA256=CC4D707B20CF0796E9948E9BB6A4795C53DA76893FECF4B159E658F827424073,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034643Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:17.748{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C7E84B10D96A5414FF11B64B5972AF7,SHA256=136EE94557CD12B3E5537099F8A0A7037A36915ED1A8B9249FF43AC595980365,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018699Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:17.113{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=241DF0FF59633D910971DE88190BE2EE,SHA256=81415DAED46CCFFDFF5BEC17FD6EA11AB537EDBB447BCE03A36080B7BB05E7E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018698Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:15.240{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50659-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000034646Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:18.748{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BE466C3B206B636DFA9CDBF81D2C9A6,SHA256=2C338062A2C349EDE40F3F706BC0BBA3775E154CD0197374938117AFFB06D044,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018700Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:18.113{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFFC65A1AE159E5840CEC4FD976AB6B3,SHA256=FE6008E6B7A668ED3F4C359282207B8A235BC6734739A2282BA21765B55D57CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034650Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:19.748{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98F5B8B511CF81FD7C8EC5462440B6DF,SHA256=BA44C03A1B245B545BE1E886CD758DD13C6F08CCEDA22D82FBEAA9FB9CB56601,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018701Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:19.128{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=987BF9C716D3FC083D2C0F3810E124E8,SHA256=D0B04E1BE41A3C4607CF9F86722AB2017AB9ED09460C23B062916EDFDA90FD0F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034649Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:16.484{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local52432-true0:0:0:0:0:0:0:1win-dc-676.attackrange.local389ldap 354300x800000000000000034648Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:16.484{6EDEAD03-FC2A-615B-2900-00000000FB01}2912C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-676.attackrange.local52432-true0:0:0:0:0:0:0:1win-dc-676.attackrange.local389ldap 354300x800000000000000034647Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:15.829{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52431-false10.0.1.12-8000- 23542300x800000000000000034651Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:20.761{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=374DFB885FEA035DBC58BA37B245E46E,SHA256=24C53C7DB16CAE232C5D2C16DB4376E2AB5B6BD129BC54537CCA7DDFF426696B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018702Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:20.133{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3247E22BF8EC5AA0834769B648FF5B59,SHA256=1970BDE591FEFA3478CDBA68328E9B429B16455946C8B1187E4FC85930811D28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034652Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:21.761{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2568D096CDC3F8D02A03BB5B16057DA,SHA256=ED67B33C697E93873292BEF3E055436373293036C5843C7CC3122E10F1DFC962,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018703Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:21.133{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBB2229414E48BB1BCB3A0931E03A38E,SHA256=BEF9D5480E246842CC36FDEF11B81A52F5781D28CBED8D393A33B933B5224516,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034653Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:22.761{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34D411E4E0FDE61F904A72A2B40EE04F,SHA256=C86CAF2190D2441D9F9814FBE772D126E8EEBE2F8095F687590C87918B7BDD09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018704Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:22.149{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BA3F77EFEFA69E9D9CC888E06C4EB95,SHA256=D3440D7DB25C895F27EF0926A2867A95AEB3AB983988ADFF7A443FBDF20BAC46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034654Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:23.777{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7156366C52F7D676401FF5B29FB4C72,SHA256=89D822ECA4F148A55B21A00A726D3C0B48DBD400D5AC6D02C10A2684069C31FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018706Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:23.164{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51BD64F4A91D38AD6225007DCD382E56,SHA256=23C90288E425CD26F5AE416777F353DF54AB7E983F87EB04A71231188525112B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018705Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:21.120{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50660-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000034656Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:24.792{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C8FB2A58F3C2628A945ECCEE609BA56,SHA256=6DCB95FBA92AC217F623E880BA9F01402150CBC5F8C6FF11BF79C0CDDC55BCA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018707Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:24.164{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DF0F05208E5EF0ACD0A095793783179,SHA256=0B84566CD099DE0A2A11142EE435B1E3AF7AD2D25C1267FA068A82CF64CCE3A1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034655Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:21.734{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52433-false10.0.1.12-8000- 23542300x800000000000000034657Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:25.792{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA3C84BF47B85D99E358ADCE4F534244,SHA256=4C2CA78C17BDB9BAF8BFE15BADF286CFA27A6024335298536E6D43DA21E0BEBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018708Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:25.180{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A7983687A34BD2E30DBA9D77F2A0C91,SHA256=1EF46D5623EE82292ABA092F175B8C4C0474B92FAEB3E138E76599F966D465D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034658Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:26.808{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E31653DFFE09039E5848CD09F20BF509,SHA256=D6FBF414BFFB7F181F931180BA897554B4D8835C66BDC6AE1956EBB43F551E18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018709Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:26.180{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEFFB1DADA69CA0FA224C335047A77DA,SHA256=AF9F68718A30E095E0C5D1D1851FE7FD0EC554BDB827005B560B98D7D1C7FEAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034659Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:27.808{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=624F485675A00AED8882BC9CDA7A065B,SHA256=EDB29062EDC88E1065E11A844DFED7415089EFB6972376786A8F49ADFE428BBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018710Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:27.180{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0715C446806B20EA6065888F2AC3FD97,SHA256=CED99F4BF74B7982506C72003AA1CF1FD2930E8C8AD68D9B6FA696F765B51D85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034660Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:28.823{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0D1765012A970BC6CE382A72965B128,SHA256=0602E39FF7B30B7D7E18B095B681329BB4DDD8D93CB5FF83935402910ACBEC2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018712Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:28.195{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AF056562F0CFA2AA61F4DEBF1A597AF,SHA256=9C9EAEFEAC5ADA2502216782905415AF3DF689B60DCEF1D6B39C8DAAA86345C5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018711Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:26.183{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50661-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000034662Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:29.823{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A490D96B2D6D2184D11EC3C7A178D1DE,SHA256=AD0D3252AE1A39B480A3DA305E5AEB4F80449BA426BDE42FB697A68F174628C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018713Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:29.211{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=727AEECF0D8350103B5B1CE3B59BC731,SHA256=2DC402B581244F80A0A160EFEAF3E3ABD6C957A8234B69C40353B399FC24CCA0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034661Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:26.844{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52434-false10.0.1.12-8000- 23542300x800000000000000034663Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:30.839{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6224F0AEE6D43FE198D4E5E2E81333A,SHA256=0AB77711C30A062487E68CB2889C462943E5749B97BEDFD19457066C15D4C330,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018714Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:30.211{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E49EB91084852FCD1C2551E7507E78A9,SHA256=C436E76538D9B08914853620884CFC1AC12941CD6866C6B72D107440ADE95EEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034664Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:31.839{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0988322110F597ECCF79896B8DFD87D,SHA256=C4134F4FA71D59CD7309C1CC94950F5DBE96417652FB38DBE1431FAED5D550C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018715Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:31.383{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E5292857752FC8912C4070B827763FB,SHA256=84823E98351C41735561BF201FED0215C450567C366970223489DEA03B267884,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034665Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:32.855{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25A9ECE6F56A38C793143DE1ADBC767E,SHA256=3E4B5D15931629AFD404699CFA83665E8DE404356492ACA9FE2416C8F9B0D97D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018717Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:32.617{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE87E4AE7ABC30987F31EBB42E92D38B,SHA256=74E39445FC30A355950FA8485933CA23FB9994DDCC71D07869D9D497A02EA13C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018716Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:32.617{49C67628-FDEB-615B-1100-00000000FC01}964NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=13DAF7984602E1CF76B3AEE1754C258F,SHA256=5874C7B0738253F8DFC89E7E69B71D5FD5AA03564227908281486D7D188E4C74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034666Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:33.855{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA8694F8183AD51EF5BA02503A974B56,SHA256=EF0BE6D0365349C3C10F0DE98FE399724621CF4D380F863E5DE5C89F59E27C80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018719Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:33.617{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1040209EF831A25E88BFED21978D0A3,SHA256=5858685E9D0A33A0884FFDA00F05E1A75C9DDC27A9A439455A46278B38FACF86,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018718Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:32.214{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50662-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000034668Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:34.855{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E1A38EDA0DAC759EAFDC944F0A853E9,SHA256=CB665A9877942C532F4C12F78FA636136A59397BED3F083337B6E03148730D1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018721Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:34.635{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=611C4D8411805FA2526F2999832D9854,SHA256=D6D26183EC25B71C4BEA78CD3BDAB2A30AA70A9A63040686AD9EFEE221959930,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034667Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:32.688{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52435-false10.0.1.12-8000- 23542300x800000000000000018720Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:34.057{49C67628-FDEC-615B-1F00-00000000FC01}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04b3958ebc31dc11b\channels\health\respondent-20211005072534-078MD5=9DBD3CF651CAD1963D7DD9E70795396E,SHA256=D00FE5240C0E39CC33FD8ADFFDA13197E8833401D0A3D05F731F6A79B8E00229,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034669Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:35.855{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=396DF12FE39DAC92FD87935DD4E60E01,SHA256=0A35F206D9191FA5FBF8E7822041F22EC8422D22125ADC90C41CC4E2D664ADD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018723Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:35.714{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6613D4972B9DE7F5F937AAB9D9D6D08,SHA256=FE41F9188C0459768A2DCD4AE92737121D178B56BABC31BC22E8C4F7E4F2B3F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018722Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:35.058{49C67628-FDEC-615B-1F00-00000000FC01}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04b3958ebc31dc11b\channels\health\surveyor-20211005072532-079MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034670Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:36.855{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D745EBA5810CFD38C3DD6A17D54BAB63,SHA256=51F057AC3EB32EBBA117DED39ADB2E8A366CA1553F21271A90D317861F145754,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018724Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:36.746{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E34515AB3878B8EB2ABAE4C1128A5E6D,SHA256=6F709DDAB09975D8BCCEC465F238320C30DCDD54C9925B78F40CD4B311737899,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018725Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:37.996{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A462FA316C4348649C72A73527C85883,SHA256=862D9CA71BA974FD8B37FE8E805429A4048C56A4F99C77C63956C230D59C078F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034671Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:38.073{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1769CBEBEF412F9A65B6C3278F9D53A2,SHA256=E2AC44B53BE053449F300E1F03AA37D02756FF616B4F07BD4A8491AA116CC9A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018727Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:37.295{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50663-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000018726Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:39.136{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CDA80344BE493817CBE36EC1421CE6F,SHA256=BF6129A1C4AFBA6F35B44049BB0F7904E94C34E61EF10D808B606AD841013D66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034682Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:39.980{6EDEAD03-0272-615C-3205-00000000FB01}5632ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\session.xmlMD5=D13AC03317243F6379FC5D0D6C6B8AA5,SHA256=3FEB2515B1C7F939F8677592B82923ACF6A16C234ADF3D1D47161FA50274270F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034681Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:37.812{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52436-false10.0.1.12-8000- 10341000x800000000000000034680Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:39.480{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-10EF-615C-F706-00000000FB01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034679Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:39.480{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485024C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034678Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:39.480{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485024C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034677Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:39.480{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485024C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034676Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:39.480{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485024C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034675Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:39.480{6EDEAD03-FC1A-615B-0500-00000000FB01}412528C:\Windows\system32\csrss.exe{6EDEAD03-10EF-615C-F706-00000000FB01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000034674Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:39.480{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-10EF-615C-F706-00000000FB01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000034673Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:39.481{6EDEAD03-10EF-615C-F706-00000000FB01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034672Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:39.105{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6772065867A1EDDC87558088B512669,SHA256=1923D181E7EE21696C97612674BD15B47658A0AE2E8974E27F4D8CC359B38B69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018728Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:40.153{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD78A392DA940A99AC15BC6AB6698303,SHA256=52917F598EA05D292BCB5F8635DBFD26BAE1413AC9F617EAA80E09CC4813B000,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034703Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:40.766{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-10F0-615C-F906-00000000FB01}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034702Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:40.766{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485024C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034701Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:40.766{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485024C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034700Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:40.766{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485024C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034699Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:40.766{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485024C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034698Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:40.766{6EDEAD03-FC1A-615B-0500-00000000FB01}412428C:\Windows\system32\csrss.exe{6EDEAD03-10F0-615C-F906-00000000FB01}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000034697Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:40.766{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-10F0-615C-F906-00000000FB01}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000034696Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:40.767{6EDEAD03-10F0-615C-F906-00000000FB01}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034695Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:40.547{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7FAB913C9AA015EA545DF72159A135C2,SHA256=5BCE777CE6B604BD93BF5FA7E74765F1EBE9DDC0CA93538BE29CDDCFE68D0778,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034694Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:40.547{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=575390496B7D0AF947895EE1F465DFA6,SHA256=964FDEEFB18B79E01FF3FF2B97E2D6244D25D5C5A180BDBE566E0626F45B655A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034693Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:40.235{6EDEAD03-10F0-615C-F806-00000000FB01}45205016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000034692Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:40.110{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0579D63030026BFBD31A8940F07D9140,SHA256=172AD5A1F17F79679ADE27D5394F9408EB34003BEC27ED661609ED59E9E2FCF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034691Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:40.110{6EDEAD03-FCBF-615B-AF00-00000000FB01}416NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=77A3FAE6E3D081057742F67BE17D48F0,SHA256=B45196262D41012541FDA928C2D6D89C531ACA10A8054FE8E2047913CDE27561,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034690Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:40.094{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-10F0-615C-F806-00000000FB01}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034689Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:40.094{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485024C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034688Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:40.094{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485024C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034687Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:40.094{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485024C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034686Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:40.094{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485024C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034685Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:40.094{6EDEAD03-FC1A-615B-0500-00000000FB01}4122304C:\Windows\system32\csrss.exe{6EDEAD03-10F0-615C-F806-00000000FB01}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000034684Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:40.094{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-10F0-615C-F806-00000000FB01}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000034683Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:40.095{6EDEAD03-10F0-615C-F806-00000000FB01}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034708Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:41.766{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7FAB913C9AA015EA545DF72159A135C2,SHA256=5BCE777CE6B604BD93BF5FA7E74765F1EBE9DDC0CA93538BE29CDDCFE68D0778,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034707Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:41.735{6EDEAD03-0272-615C-3205-00000000FB01}5632ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2021-10-05_084639MD5=03CD21CF35234D49020D4563C18D30D9,SHA256=CB16EA04EAED6CE6D5C25447E773904987CB562D178EB5956FD35FBE2FA69CAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034706Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:41.735{6EDEAD03-0272-615C-3205-00000000FB01}5632ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Program Files\ansible\AttackRangeSysmon.xmlMD5=8BCD96CE5E17932F6EDC414BDBD3F6DF,SHA256=7DAAD66D67FF6E524FEF75C4EB88B2C2F89731FC7150F799C1841B5E4A755519,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034705Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:39.692{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52437-false10.0.1.12-8089- 23542300x800000000000000034704Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:41.347{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D634A3407F3C5566AD16CCF64F79C808,SHA256=68BBA7BF25D2DB9829C5BB46D0D2D94B0EAA25060D1A23B7CDD30226E3B200B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018729Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:41.185{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C5F6DC6A9744CCFEE7A54FD7BACCD83,SHA256=AEFCA3A50A672316A4A6C5E534D413ED84ECD73654A55C9B7EEAEA852522E3FB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034718Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:42.563{6EDEAD03-10F2-615C-FA06-00000000FB01}66086100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000034717Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:42.453{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA5E55124D94833B45085611CA791CE1,SHA256=8915AED5DC5518B51055689C205CAA3CAC7F19852FCD13158EAD36A3B631DB77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018730Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:42.278{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA008A97FD4757539672B12AF53956D3,SHA256=DA93F8572177ED4EAA7C0243E704766A76C5B04C0F2FCA3B0600477F746E2056,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034716Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:42.406{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-10F2-615C-FA06-00000000FB01}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034715Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:42.406{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485024C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034714Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:42.406{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485024C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034713Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:42.406{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485024C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034712Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:42.406{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485024C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034711Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:42.406{6EDEAD03-FC1A-615B-0500-00000000FB01}412428C:\Windows\system32\csrss.exe{6EDEAD03-10F2-615C-FA06-00000000FB01}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000034710Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:42.406{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-10F2-615C-FA06-00000000FB01}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000034709Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:42.407{6EDEAD03-10F2-615C-FA06-00000000FB01}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000034738Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:43.906{6EDEAD03-10F3-615C-FC06-00000000FB01}22726336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034737Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:43.750{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-10F3-615C-FC06-00000000FB01}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034736Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:43.750{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485024C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034735Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:43.750{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485024C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034734Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:43.750{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485024C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034733Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:43.750{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485024C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034732Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:43.750{6EDEAD03-FC1A-615B-0500-00000000FB01}4122304C:\Windows\system32\csrss.exe{6EDEAD03-10F3-615C-FC06-00000000FB01}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000034731Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:43.750{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-10F3-615C-FC06-00000000FB01}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000034730Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:43.751{6EDEAD03-10F3-615C-FC06-00000000FB01}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034729Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:43.625{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9E4BB1D7AA2ACB981B9F242BFCE41177,SHA256=CB85AC2327EB7B898FD6918FB2D160C228DC680FED6BCB549508B4F51F765A14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034728Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:43.547{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F556FA25748E36CD570DFB002241A5BC,SHA256=1093668BAF92829AB22D5D8C81D084E3B3C34BB575E4CFD0B00395D050ED6C30,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018744Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:43.888{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-10F3-615C-0F03-00000000FC01}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018743Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:43.888{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018742Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:43.888{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018741Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:43.888{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018740Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:43.888{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018739Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:43.888{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018738Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:43.888{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018737Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:43.888{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018736Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:43.888{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018735Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:43.888{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018734Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:43.888{49C67628-FDEB-615B-0500-00000000FC01}416432C:\Windows\system32\csrss.exe{49C67628-10F3-615C-0F03-00000000FC01}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018733Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:43.888{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-10F3-615C-0F03-00000000FC01}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000018732Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:43.888{49C67628-10F3-615C-0F03-00000000FC01}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018731Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:43.294{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DF7D11890C624B53BB9CDD0D6A63B2D,SHA256=DA855DEE96A5742A9E3F3565D6E20684264146070A2DF4FEB37C0FD76FAC257B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034727Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:43.250{6EDEAD03-10F3-615C-FB06-00000000FB01}10763592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034726Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:43.078{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-10F3-615C-FB06-00000000FB01}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034725Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:43.078{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485024C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034724Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:43.078{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485024C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034723Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:43.078{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485024C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034722Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:43.078{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485024C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034721Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:43.078{6EDEAD03-FC1A-615B-0500-00000000FB01}412428C:\Windows\system32\csrss.exe{6EDEAD03-10F3-615C-FB06-00000000FB01}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000034720Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:43.078{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-10F3-615C-FB06-00000000FB01}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000034719Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:43.079{6EDEAD03-10F3-615C-FB06-00000000FB01}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000034755Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:44.969{6EDEAD03-FF62-615B-F802-00000000FB01}50525848C:\Windows\Explorer.EXE{6EDEAD03-011D-615C-0205-00000000FB01}5428C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034754Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:44.969{6EDEAD03-FF62-615B-F802-00000000FB01}50525848C:\Windows\Explorer.EXE{6EDEAD03-011D-615C-0205-00000000FB01}5428C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034753Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:44.969{6EDEAD03-FF62-615B-F802-00000000FB01}50525848C:\Windows\Explorer.EXE{6EDEAD03-011D-615C-0205-00000000FB01}5428C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034752Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:44.969{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-011D-615C-0305-00000000FB01}5740C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034751Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:44.969{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-011D-615C-0305-00000000FB01}5740C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034750Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:44.969{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-011D-615C-0305-00000000FB01}5740C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034749Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:44.969{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-011D-615C-0305-00000000FB01}5740C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000034748Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:44.766{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F1EF8395489369CDA1D440330A083A44,SHA256=0E80AB191067563CA00854B9C9EFEA2586DAB27441621B2F7D6AA4EE6319957D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034747Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:44.563{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5B20DEA4191E49E6896EFE22AC7BC5E,SHA256=D8C928746817DA08FA5491A7E03DB117668713A6D3A74A7A4195186DDE20FFFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018761Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:44.903{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1BE92D7B5A9FAC5816CC73BA4D62F354,SHA256=7415115487759B72CC7027C98CAA6B799E069E911DFEDC7403B2BBCE150694EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018760Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:44.903{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E178DA3C7DCDFD6F595AF02AEDA23708,SHA256=F855FD96BA2E27CD3F5CF058E55AB262C0BFE4F13B93D51E01A870E4A07EBFA4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018759Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:44.435{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-10F4-615C-1003-00000000FC01}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018758Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:44.435{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018757Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:44.435{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018756Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:44.435{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018755Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:44.435{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018754Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:44.435{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018753Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:44.435{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018752Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:44.435{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018751Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:44.435{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018750Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:44.435{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018749Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:44.435{49C67628-FDEB-615B-0500-00000000FC01}4161032C:\Windows\system32\csrss.exe{49C67628-10F4-615C-1003-00000000FC01}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018748Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:44.435{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-10F4-615C-1003-00000000FC01}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000018747Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:44.438{49C67628-10F4-615C-1003-00000000FC01}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018746Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:44.294{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8E5D428CA58DA90C8F5982D3E1A01E9,SHA256=5A231A30999E146EAD686709FD88E5FB9675F8C295D93A58A773BDCAF68BABE5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034746Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:44.422{6EDEAD03-FCBF-615B-B300-00000000FB01}23322960C:\Windows\system32\conhost.exe{6EDEAD03-10F4-615C-FD06-00000000FB01}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034745Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:44.422{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485024C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034744Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:44.422{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485024C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034743Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:44.422{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485024C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034742Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:44.422{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485024C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034741Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:44.422{6EDEAD03-FC1A-615B-0500-00000000FB01}4122304C:\Windows\system32\csrss.exe{6EDEAD03-10F4-615C-FD06-00000000FB01}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000034740Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:44.422{6EDEAD03-FCBF-615B-AF00-00000000FB01}4162296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6EDEAD03-10F4-615C-FD06-00000000FB01}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000034739Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:44.423{6EDEAD03-10F4-615C-FD06-00000000FB01}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6EDEAD03-FC1B-615B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6EDEAD03-FCBF-615B-AF00-00000000FB01}416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018745Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:44.091{49C67628-10F3-615C-0F03-00000000FC01}5202892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018776Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:45.575{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE2B4D7E73E3A6E68A65CCA1EE7CE4B4,SHA256=E005A071F16EA23F11742DDB49B5FF11B581203D64104EABE6F9D83CAA23325E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034756Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:45.594{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3959670E28EB5100028F0E5D9ADB5F4B,SHA256=6EB95021E2E044E6B5560BDD109D99745583B6113FA48692271A5C3BE57F535C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018775Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:45.060{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-10F5-615C-1103-00000000FC01}2448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018774Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:45.060{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018773Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:45.060{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018772Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:45.060{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018771Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:45.060{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018770Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:45.060{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018769Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:45.060{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018768Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:45.060{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018767Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:45.060{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018766Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:45.060{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018765Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:45.060{49C67628-FDEB-615B-0500-00000000FC01}416532C:\Windows\system32\csrss.exe{49C67628-10F5-615C-1103-00000000FC01}2448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018764Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:45.060{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-10F5-615C-1103-00000000FC01}2448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000018763Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:45.061{49C67628-10F5-615C-1103-00000000FC01}2448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000018762Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:43.156{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50664-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000018792Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:46.606{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B724A98D6B2E07900B29B583C3E0FA91,SHA256=FA611F0F8812A68BBADB582BE6EA45802BF0E91744309BD83E037606C11CA257,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034758Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:43.708{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52438-false10.0.1.12-8000- 23542300x800000000000000034757Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:46.625{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D519513CFB61CF9BCF4FA11181EB2B48,SHA256=7387C63823B940414870004E3B6DD647A48F50AC707B07B710635E9F6186C443,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018791Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:46.278{49C67628-10F6-615C-1203-00000000FC01}25883512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018790Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:46.138{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-10F6-615C-1203-00000000FC01}2588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018789Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:46.138{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018788Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:46.138{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018787Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:46.138{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018786Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:46.138{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018785Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:46.138{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018784Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:46.138{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018783Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:46.138{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018782Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:46.138{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018781Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:46.138{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018780Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:46.138{49C67628-FDEB-615B-0500-00000000FC01}416532C:\Windows\system32\csrss.exe{49C67628-10F6-615C-1203-00000000FC01}2588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018779Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:46.138{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-10F6-615C-1203-00000000FC01}2588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000018778Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:46.138{49C67628-10F6-615C-1203-00000000FC01}2588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018777Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:46.091{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1BE92D7B5A9FAC5816CC73BA4D62F354,SHA256=7415115487759B72CC7027C98CAA6B799E069E911DFEDC7403B2BBCE150694EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018807Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:47.950{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-10F7-615C-1303-00000000FC01}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018806Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:47.950{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018805Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:47.950{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018804Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:47.950{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018803Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:47.950{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018802Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:47.950{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018801Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:47.950{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018800Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:47.950{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018799Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:47.950{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018798Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:47.950{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018797Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:47.950{49C67628-FDEB-615B-0500-00000000FC01}416532C:\Windows\system32\csrss.exe{49C67628-10F7-615C-1303-00000000FC01}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018796Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:47.950{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-10F7-615C-1303-00000000FC01}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000018795Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:47.951{49C67628-10F7-615C-1303-00000000FC01}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018794Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:47.841{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B247752C1F5D0C95F76CB31C6F118208,SHA256=54BE029DF476A39AC72BD8E037492B21156DDFB946B9EA7AFFB4190D3769D1D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034777Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:47.828{6EDEAD03-011D-615C-0305-00000000FB01}57405284C:\Windows\system32\conhost.exe{6EDEAD03-10F7-615C-FE06-00000000FB01}2316C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034776Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:47.813{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485024C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034775Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:47.813{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485024C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034774Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:47.813{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485024C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034773Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:47.813{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485024C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034772Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:47.813{6EDEAD03-FF5F-615B-E202-00000000FB01}9723552C:\Windows\system32\csrss.exe{6EDEAD03-10F7-615C-FE06-00000000FB01}2316C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000034771Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:47.813{6EDEAD03-011D-615C-0205-00000000FB01}54284716C:\Windows\system32\cmd.exe{6EDEAD03-10F7-615C-FE06-00000000FB01}2316C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000034770Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:47.826{6EDEAD03-10F7-615C-FE06-00000000FB01}2316C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete HKLM\SYSTEM\CurrentControlSet\Control\MiniNtC:\Users\Administrator\ATTACKRANGE\Administrator{6EDEAD03-FF61-615B-7756-1D0000000000}0x1d56772HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{6EDEAD03-011D-615C-0205-00000000FB01}5428C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 13241300x800000000000000034769Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 08:46:47.656{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000034768Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 08:46:47.656{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00518ae0) 13241300x800000000000000034767Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 08:46:47.656{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b9bd-0x262c01c7) 13241300x800000000000000034766Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 08:46:47.656{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b9c5-0x87f069c7) 13241300x800000000000000034765Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 08:46:47.656{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b9cd-0xe9b4d1c7) 13241300x800000000000000034764Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 08:46:47.656{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000034763Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 08:46:47.656{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00518ae0) 13241300x800000000000000034762Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 08:46:47.656{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b9bd-0x262c01c7) 13241300x800000000000000034761Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 08:46:47.656{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b9c5-0x87f069c7) 13241300x800000000000000034760Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 08:46:47.656{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b9cd-0xe9b4d1c7) 23542300x800000000000000034759Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:47.641{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5F1044D3F55C2E3000ED105C2CD9098,SHA256=5270B2700576516BCD5A11BDCF59A169C3C7380AEAD2E0EA9107FD9A2F01CAB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018793Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:47.169{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=95A05121C66362DC0EBD742478CAFB33,SHA256=73C82F2C3B251E596E16FC656BBA05CFF191A9321CC7CB38E7FB9D9344778BAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034779Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:48.828{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6954FAD13DD8DEB192AEDE635DA5E1D7,SHA256=5FC7A42624831CD6ABEE374FDD79351710716D45DAB967F01452A2C9CA15430F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034778Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:48.672{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1ADEF42ABBE25FDFBA6AF97D7F62410F,SHA256=881C9C65B7A1166DE9FA54D5C428DE0B458AC25691A530E8E686911BFD71091B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018824Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:48.950{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C5D7775EBD98BD38B90F3AB5ED2FBD4D,SHA256=FCC151C79242FF92C5ECED303A867C2FA369B2BBC2894289609EE474A159D24B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018823Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:48.763{49C67628-10F8-615C-1403-00000000FC01}27883028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018822Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:48.622{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-10F8-615C-1403-00000000FC01}2788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018821Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:48.622{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018820Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:48.622{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018819Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:48.622{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018818Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:48.622{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018817Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:48.622{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018816Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:48.622{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018815Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:48.622{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018814Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:48.622{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018813Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:48.622{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018812Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:48.622{49C67628-FDEB-615B-0500-00000000FC01}416432C:\Windows\system32\csrss.exe{49C67628-10F8-615C-1403-00000000FC01}2788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018811Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:48.622{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-10F8-615C-1403-00000000FC01}2788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000018810Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:48.623{49C67628-10F8-615C-1403-00000000FC01}2788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018809Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:48.388{49C67628-FE68-615B-9F00-00000000FC01}1772NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=77A3FAE6E3D081057742F67BE17D48F0,SHA256=B45196262D41012541FDA928C2D6D89C531ACA10A8054FE8E2047913CDE27561,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018808Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:48.122{49C67628-10F7-615C-1303-00000000FC01}3932328C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000034782Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:49.985{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1141E6A9DA427B4D463BB79D6951CF1E,SHA256=B50B3521360D732B449315483FE919F21696051C99CB90F8AD43127CC55FB245,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034781Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:49.719{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A75D9C2B6637C0D29B3CB71258008968,SHA256=72B2832F07A66CF8F762F3972D6CD899F6A08C2B8258C9D2006C772F2CCEBB1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018838Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:49.451{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93CEA31B658D60C07721DAA65C17ED91,SHA256=2DA63DB261D0A4233D44C295AF92E42D78C7F4D3552BB76EE40B8DEC5CF177BA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018837Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:49.294{49C67628-FE68-615B-A300-00000000FC01}33563576C:\Windows\system32\conhost.exe{49C67628-10F9-615C-1503-00000000FC01}484C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018836Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:49.294{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018835Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:49.294{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018834Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:49.294{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018833Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:49.294{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018832Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:49.294{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018831Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:49.294{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018830Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:49.294{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018829Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:49.294{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018828Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:49.294{49C67628-FDEB-615B-0C00-00000000FC01}7284028C:\Windows\system32\svchost.exe{49C67628-FDEC-615B-2200-00000000FC01}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018827Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:49.294{49C67628-FDEB-615B-0500-00000000FC01}416432C:\Windows\system32\csrss.exe{49C67628-10F9-615C-1503-00000000FC01}484C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000018826Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:49.294{49C67628-FE68-615B-9F00-00000000FC01}1772588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{49C67628-10F9-615C-1503-00000000FC01}484C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000018825Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:49.295{49C67628-10F9-615C-1503-00000000FC01}484C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{49C67628-FDEB-615B-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000034780Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:49.094{6EDEAD03-FC1B-615B-0B00-00000000FB01}636692C:\Windows\system32\lsass.exe{6EDEAD03-FC18-615B-0100-00000000FB01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x800000000000000034786Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:50.860{6EDEAD03-FC1D-615B-1200-00000000FB01}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=9B366A3B538E3ACC880082AFF4F9BAF6,SHA256=D5655834416ED08A4DE4B144D0DA1580EEB452E104DE46AACE4DB39FB0CB0C26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034785Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:50.735{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D67571371AA57120A9BA42397D8ED81,SHA256=F278E65409E36062FCB4E2A14A9E70CB173952D382F238C77FFCFE62B28E2E75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018841Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:50.325{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C33ED3A935C29210BF061ACE7CF6103,SHA256=09D00AAF003759CB556258EF2C1D64F0A6BF35A8CA06B12518925552E9E0A6D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018840Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:50.325{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F916F7427C0D276F80BE2F9ADEF631F9,SHA256=CD68917727776C0EA9758A22A867954ADCFB636E399AC43D9AAF1B6D3D1CCC36,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034784Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:50.688{6EDEAD03-FC1D-615B-0D00-00000000FB01}9082228C:\Windows\system32\svchost.exe{6EDEAD03-FC1D-615B-1100-00000000FB01}480C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034783Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:50.688{6EDEAD03-FC1D-615B-0D00-00000000FB01}9082228C:\Windows\system32\svchost.exe{6EDEAD03-FC1D-615B-1600-00000000FB01}1288C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000018839Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:48.438{49C67628-FE68-615B-9F00-00000000FC01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50665-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000034793Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:51.735{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E15FE6728E7C73332817561F470AB6CF,SHA256=BB1741FCE67EE4DB299058825FB1E154056F7E79323782FE0190806AAC390844,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018843Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:51.325{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BECCE38121B318C602FB9A00B960397,SHA256=45827C1AAEB958A25F05702AC0568B0294FA3B417F48D0B36F8F92CBE50C667A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034792Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:48.696{6EDEAD03-FC18-615B-0100-00000000FB01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local52441-truefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local445microsoft-ds 354300x800000000000000034791Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:48.696{6EDEAD03-FC18-615B-0100-00000000FB01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local52441-truefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local445microsoft-ds 354300x800000000000000034790Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:48.594{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-676.attackrange.local52440-false10.0.1.14win-dc-676.attackrange.local389ldap 354300x800000000000000034789Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:48.594{6EDEAD03-FC1D-615B-1600-00000000FB01}1288C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52440-false10.0.1.14win-dc-676.attackrange.local389ldap 354300x800000000000000034788Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:48.586{6EDEAD03-FC1B-615B-0B00-00000000FB01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local52439-truefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local389ldap 354300x800000000000000034787Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:48.586{6EDEAD03-FC1D-615B-1600-00000000FB01}1288C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local52439-truefe80:0:0:0:b879:39b3:8bb9:e640win-dc-676.attackrange.local389ldap 354300x800000000000000018842Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:49.094{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50666-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000034795Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:52.735{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E48D015D7C3D53751B240969DC1C2BB,SHA256=92EBB851AAE5F7FF4922B4C6B0D36D7672D522C5B01D982B7F218214DC0BACFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018844Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:52.341{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6CABDA7B94FA00E2018BDC6ECED3418,SHA256=77C2CDB5F611BB06751AFE393F27A260581D5B7DFB3C765BC0F02E6034804B61,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034794Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:48.833{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52442-false10.0.1.12-8000- 23542300x800000000000000018845Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:53.341{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2BC40E9AAE088539FCACBA6955FBBAC,SHA256=91D1CCC1D9DF8DC6B9BCE616D847B44FE7BD352B8A0DC43C4C1BC81CA36FDD68,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034828Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:53.719{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6E-615B-2103-00000000FB01}5980C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034827Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:53.719{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6E-615B-2103-00000000FB01}5980C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034826Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:53.719{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6E-615B-2103-00000000FB01}5980C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034825Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:53.719{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6E-615B-2103-00000000FB01}5980C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034824Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:53.719{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6E-615B-2103-00000000FB01}5980C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034823Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:53.719{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6E-615B-2103-00000000FB01}5980C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034822Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:53.719{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6E-615B-2103-00000000FB01}5980C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034821Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:53.719{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF6E-615B-2103-00000000FB01}5980C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034820Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:53.719{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034819Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:53.719{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034818Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:53.719{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034817Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:53.719{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034816Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:53.719{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034815Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:53.719{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034814Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:53.719{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034813Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:53.719{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034812Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:53.719{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034811Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:53.719{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034810Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:53.719{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034809Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:53.719{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034808Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:53.719{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034807Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:53.719{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034806Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:53.719{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034805Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:53.719{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034804Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:53.719{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034803Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:53.719{6EDEAD03-FC1D-615B-0D00-00000000FB01}908932C:\Windows\system32\svchost.exe{6EDEAD03-FF62-615B-F802-00000000FB01}5052C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034802Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:53.453{6EDEAD03-FF62-615B-F802-00000000FB01}50525848C:\Windows\Explorer.EXE{6EDEAD03-02EA-615C-4505-00000000FB01}1884C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034801Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:53.453{6EDEAD03-FF62-615B-F802-00000000FB01}50525848C:\Windows\Explorer.EXE{6EDEAD03-02EA-615C-4505-00000000FB01}1884C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034800Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:53.453{6EDEAD03-FF62-615B-F802-00000000FB01}50525848C:\Windows\Explorer.EXE{6EDEAD03-02EA-615C-4505-00000000FB01}1884C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034799Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:53.438{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-02EA-615C-4605-00000000FB01}3588C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034798Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:53.438{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-02EA-615C-4605-00000000FB01}3588C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034797Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:53.438{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-02EA-615C-4605-00000000FB01}3588C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034796Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:53.438{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-02EA-615C-4605-00000000FB01}3588C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000018846Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:54.341{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7DF2F1E4CC082308AEB8661F3035DA9,SHA256=F35B33EEE79214CD0395BDBE951F870B093973BD6BBE5E8A39855E3B7BBBD845,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000034850Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 08:46:54.938{6EDEAD03-10FE-615C-FF06-00000000FB01}6700C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigHashSHA256=CB16EA04EAED6CE6D5C25447E773904987CB562D178EB5956FD35FBE2FA69CAC 13241300x800000000000000034849Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 08:46:54.938{6EDEAD03-10FE-615C-FF06-00000000FB01}6700C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigFileC:\Program Files\ansible\AttackRangeSysmon.xml 13241300x800000000000000034848Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 08:46:54.938{6EDEAD03-10FE-615C-FF06-00000000FB01}6700C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\RulesBinary Data 16341600x800000000000000034847Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local2021-10-05 08:46:54.938C:\Program Files\ansible\AttackRangeSysmon.xmlSHA256=CB16EA04EAED6CE6D5C25447E773904987CB562D178EB5956FD35FBE2FA69CAC 13241300x800000000000000034846Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 08:46:54.938{6EDEAD03-10FE-615C-FF06-00000000FB01}6700C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\DnsLookupBinary Data 13241300x800000000000000034845Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 08:46:54.938{6EDEAD03-10FE-615C-FF06-00000000FB01}6700C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\CheckRevocationBinary Data 13241300x800000000000000034844Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 08:46:54.938{6EDEAD03-10FE-615C-FF06-00000000FB01}6700C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\HashingAlgorithmDWORD (0x8000000e) 13241300x800000000000000034843Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 08:46:54.938{6EDEAD03-10FE-615C-FF06-00000000FB01}6700C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\OptionsDWORD (0x00000007) 12241200x800000000000000034842Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-DeleteValue2021-10-05 08:46:54.938{6EDEAD03-10FE-615C-FF06-00000000FB01}6700C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\Rules 12241200x800000000000000034841Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-DeleteValue2021-10-05 08:46:54.938{6EDEAD03-10FE-615C-FF06-00000000FB01}6700C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\DnsLookup 12241200x800000000000000034840Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-DeleteValue2021-10-05 08:46:54.938{6EDEAD03-10FE-615C-FF06-00000000FB01}6700C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\CheckRevocation 12241200x800000000000000034839Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-DeleteValue2021-10-05 08:46:54.938{6EDEAD03-10FE-615C-FF06-00000000FB01}6700C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\HashingAlgorithm 12241200x800000000000000034838Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-DeleteValue2021-10-05 08:46:54.938{6EDEAD03-10FE-615C-FF06-00000000FB01}6700C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\Options 10341000x800000000000000034837Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:54.875{6EDEAD03-02EA-615C-4605-00000000FB01}35886968C:\Windows\system32\conhost.exe{6EDEAD03-10FE-615C-FF06-00000000FB01}6700C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034836Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:54.875{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485024C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034835Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:54.875{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485024C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034834Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:54.875{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485024C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034833Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:54.875{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485024C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034832Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:54.875{6EDEAD03-FF5F-615B-E202-00000000FB01}9723852C:\Windows\system32\csrss.exe{6EDEAD03-10FE-615C-FF06-00000000FB01}6700C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000034831Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:54.875{6EDEAD03-02EA-615C-4505-00000000FB01}18843628C:\Windows\system32\cmd.exe{6EDEAD03-10FE-615C-FF06-00000000FB01}6700C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000034830Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:54.878{6EDEAD03-10FE-615C-FF06-00000000FB01}6700C:\Program Files\ansible\sysmon\Sysmon64.exe13.01System activity monitorSysinternals SysmonSysinternals - www.sysinternals.com-Sysmon64.exe -c "C:\Program Files\ansible\AttackRangeSysmon.xml"C:\Program Files\ansible\sysmon\ATTACKRANGE\Administrator{6EDEAD03-FF61-615B-7756-1D0000000000}0x1d56772HighMD5=8A914CFB7496B8461285C009DD8F5627,SHA256=422EC998FED690C2EC3239A4BB80075F098A9A95CBDFFBC873365B9F7136A02A,IMPHASH=DCF866F4139DD7FF6C0A5D4FA050CD7A{6EDEAD03-02EA-615C-4505-00000000FB01}1884C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon" 23542300x800000000000000034829Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:54.219{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29E3C41455339419EE62B93F513915D3,SHA256=569D0A02D9AB89CC059225DCA26392B881979E69139BB88E42791A3BCF2A0A85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018847Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:55.356{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27CDF2A44FF337A42033C19EA035B5B6,SHA256=202435309D9E2A98BEF6A719225FD753165656941AEDF715218C9F52ED8D16E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034853Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:55.922{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=74A735CDD2102C4D7A281B4063C4E58C,SHA256=AEC9AE8F076B3E0B916B8BDB7B8910C8A23D0F0D8805132E21C45747C83F636D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034852Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:55.922{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A85CF57D5A0CE5908621857D1D29DCB,SHA256=58577B8CDAA42535E463A11ECEE83BF6E4A3D7E956B6B015BFAE072CB4583B62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034851Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:55.235{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=390DA78B9B11F4E28208BD31009E59BD,SHA256=04E57500A4459DD2A468077A27ACCDFE1568961507B9D7FE0FAD00DE8FE47AEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018848Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:56.372{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6A21ADF6AFB5097CC08F1750A645558,SHA256=57DEB5621BD36D435D12D1D142A92E4EA060CF4B50B6DB46415747943E95299F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034861Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:56.266{6EDEAD03-FF62-615B-F802-00000000FB01}50525848C:\Windows\Explorer.EXE{6EDEAD03-011D-615C-0205-00000000FB01}5428C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034860Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:56.266{6EDEAD03-FF62-615B-F802-00000000FB01}50525848C:\Windows\Explorer.EXE{6EDEAD03-011D-615C-0205-00000000FB01}5428C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034859Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:56.266{6EDEAD03-FF62-615B-F802-00000000FB01}50525848C:\Windows\Explorer.EXE{6EDEAD03-011D-615C-0205-00000000FB01}5428C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034858Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:56.266{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-011D-615C-0305-00000000FB01}5740C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034857Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:56.266{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-011D-615C-0305-00000000FB01}5740C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034856Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:56.266{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-011D-615C-0305-00000000FB01}5740C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034855Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:56.266{6EDEAD03-FF62-615B-F802-00000000FB01}50525880C:\Windows\Explorer.EXE{6EDEAD03-011D-615C-0305-00000000FB01}5740C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000034854Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:56.250{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCA94F80A8CF55F76F6E71407C4AC6B6,SHA256=B7699571EB341B7C4C6247624F871F5E70E3FB46127FE7638733B9E950E4E661,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018850Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:57.372{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=815EA4CB9C7648B734B626F662E651F3,SHA256=EBA5243B9CD9C4CE95E8BC8EED764EB9DD7DE43C89F9032EFF2289F30925C967,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000034872Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-SetValue2021-10-05 08:46:57.735{6EDEAD03-1101-615C-0007-00000000FB01}1492C:\Windows\system32\reg.exeHKLM\System\CurrentControlSet\Control\MiniNt\(Default)(Empty) 10341000x800000000000000034871Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:57.719{6EDEAD03-011D-615C-0305-00000000FB01}57405284C:\Windows\system32\conhost.exe{6EDEAD03-1101-615C-0007-00000000FB01}1492C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034870Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:57.719{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485024C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034869Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:57.719{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485024C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034868Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:57.719{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485024C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034867Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:57.719{6EDEAD03-FC1D-615B-0C00-00000000FB01}8485024C:\Windows\system32\svchost.exe{6EDEAD03-FC2A-615B-2A00-00000000FB01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034866Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:57.719{6EDEAD03-FF5F-615B-E202-00000000FB01}9723852C:\Windows\system32\csrss.exe{6EDEAD03-1101-615C-0007-00000000FB01}1492C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000034865Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:57.719{6EDEAD03-011D-615C-0205-00000000FB01}54284716C:\Windows\system32\cmd.exe{6EDEAD03-1101-615C-0007-00000000FB01}1492C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000034864Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:57.726{6EDEAD03-1101-615C-0007-00000000FB01}1492C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add HKLM\SYSTEM\CurrentControlSet\Control\MiniNtC:\Users\Administrator\ATTACKRANGE\Administrator{6EDEAD03-FF61-615B-7756-1D0000000000}0x1d56772HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{6EDEAD03-011D-615C-0205-00000000FB01}5428C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 23542300x800000000000000034863Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:57.281{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=936A310A94EA98C27D97E623346A44A5,SHA256=963A905D461EB7E4161D77740849E0BE939B89F854766426844B096FCEDF2FA7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018849Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:55.125{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50667-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000034862Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:54.630{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52443-false10.0.1.12-8000- 23542300x800000000000000018851Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:58.388{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B9AA2187869CE1EFBD05AD5B2282CAA,SHA256=6EC5A37C104CC72881BC73EF78F23108B81E8C73B871A1503A764A390D14D6FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034874Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:58.844{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=74A735CDD2102C4D7A281B4063C4E58C,SHA256=AEC9AE8F076B3E0B916B8BDB7B8910C8A23D0F0D8805132E21C45747C83F636D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034873Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:58.313{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60A95A6AF91E339CE72BC8705222386C,SHA256=682B6FA104C16CC285A0481F659CEB7987CA5D06901B36B2F4D17FF499421908,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034875Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:59.328{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3E386C5DC5782B7A9BA8708A62B7AB9,SHA256=7B527600E561623B4269456A6903DDCD5AA91784D19ECDEF3D0CBE10F8FA5C3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018852Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:46:59.388{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0411640957CFBEAEB3BFA84BA2FDB6E,SHA256=451F72840625CE0A1CC4266003C4B2EA11910985004887FC2279C589F184534B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018853Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:47:00.402{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C4E9866AF3B897708ACF77B767DC360,SHA256=BAA77CAA4B364548F634FC6856DD24DC241C3A25966ACA9AACBACC4E00C07805,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034877Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:47:00.874{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7FF3296C296EA7E16486D86606EC17CD,SHA256=B0E094B1BA7BD0DDE1C2DE551C721AF4198ABCCDBA6587B2734C0A432FDA1FF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034876Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:47:00.358{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=333CE80F04A6945E84FE1216652985DD,SHA256=74E25666145A779668561B57404C31C73A6987A7EE1B20C18E57A9B9AF5FD74A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018854Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:47:01.402{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44488BE614EC4FEC5F62414C14C0D03E,SHA256=AD4F73A940CF01C84842062295442639881FE882B54C734EB7848B1C38EB2546,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034878Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:47:01.358{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=903D1A901B920933A8616BDBC3B7B3E0,SHA256=46EABDEE6EBB9C18423CEC0EED5C024DF010A11CA6986C2D1D13C0F122EFF848,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018856Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:47:02.605{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C08D65EAED6E637B6EF4EB60A62AEF6,SHA256=ACFB52A538E346B134F5AB418BC24C7F83100F2DD8C999E576D8BE975CF1B0CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034880Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:47:02.389{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D595223897800A8E6DF72DF8F8A319C4,SHA256=F7B8DC30A0CB232D1128C6560B8F050AAACB9178111757D4D332A080561C59D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018855Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:47:00.327{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50668-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000034879Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:46:59.769{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52444-false10.0.1.12-8000- 23542300x800000000000000018857Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:47:03.730{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72395CE8DCE4CBBA9B03376143B1B647,SHA256=6C78E1F4A0EB6EBA2D6C0ADDD69511FAFF238576EEAF58433A03DBC0CA40E381,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034881Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:47:03.405{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CA8AC19DFF16AAB012BE441213563A9,SHA256=59B6BD809A15D932F2BE46166DBF9A01E462705E100A323523A853B852561E7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018858Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:47:04.855{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FE28071548FA785ED2F095C6498D843,SHA256=3A48BF53FE70B8F688BF0382FCF308C5637BF2456A6E122161480640571931EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034882Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:47:04.452{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D52738CF6B2362AE32E302171421DFE,SHA256=0D10C8532E55395B1D888E066D062A90981D430B90320A7BB966300905971AE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034883Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:47:05.593{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F844E096D28978268E8D091E02CF52E,SHA256=C7D226AAAB18A2790A17E30E9451C5F72E0E6AD8C38FECAF285416C322EE4914,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034884Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:47:06.702{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37AE853347620DFC7C291A59435037EA,SHA256=DCF5388BE947B5966C3B2C559234095061B12B645A7715E4F9063847F954B173,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018859Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:47:06.012{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=710FCC31F18943A6828B6DE6D4508BD4,SHA256=57B43200FF8415375B8B59C7A6B4C1B3FD16185023962500E7D38A62F5AD40BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034885Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:47:07.936{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1898582A89ED1DEFB02F29A823EAE15,SHA256=18046C4FBB8AE307F1752D2EE401A2DD940E1AE5FAE30D22235DB99FC1D6C55E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018861Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:47:06.155{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50669-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000018860Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:47:07.152{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45EC5998082975E0314D5D7CFC537BE5,SHA256=B5A551176E49D259F9E46406D10E6C47CD62A08895162ECFB1A79F8339B5CAC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034887Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:47:08.952{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00FC52574DF2AC7CAD229B50BC7BC01E,SHA256=017A03C5CFCDBF43D89449548735C83C8E7FB84DF17F1F55424F5F58850A7346,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018862Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:47:08.277{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3A272783321212AD396C45678D7ADE4,SHA256=EF9B823F265A375725565949276B07A08D0CD58B7F01B03E4892BEF5D2E1BB29,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034886Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:47:05.753{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52445-false10.0.1.12-8000- 23542300x800000000000000034888Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:47:09.968{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA76C9D7FAE36ABFFB13076ED5161F57,SHA256=4F9D7A6734F2B4756531F357E39C8281D4F66BB07C373A85FCBD9A614466FD14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018863Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:47:09.465{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B59DFC72F83D9CCD03E66DD6CBB1DFB,SHA256=6352BD2FFC70E094A8516C23950C0AB9F36C139F712FC235931971BE433ADD46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034889Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:47:10.968{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DFB41E36AA0BE85A2A0626CC2BDBEBB,SHA256=9C0CA051AE39F8180B807930DC474179646905CF4FA3DDE5D1306A0051DDEF0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018864Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:47:10.465{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7267EF5FFDF59785D07D8D1A5C5E5426,SHA256=5D1B47B15BACE62FC5D6AF3F8BE724A8EB6D7AF45AD271966E406768CF42154A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018865Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:47:11.480{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB1691867861C7D2222DAC3E1EEAE417,SHA256=F0611A5980BE148D6D70CBE448C05480D04BF40F26CF152F439EF8FAABF4F2F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018866Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:47:12.480{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3A9BB1A41B802F7B4C91FC1FAEEC792,SHA256=D4D80F3ECB96282C05952893E62E22ADAD9CE5EF831F06676172FF02BB66CABB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034890Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:47:12.014{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=002C51B56FCD6F58FDE3576D4196E4A2,SHA256=9330E67D60D612BE6686B0AD0BC71CF325A84DCEC0C133FF503A699D74481D08,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018868Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:47:11.311{49C67628-FE6F-615B-D100-00000000FC01}976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-340.eu-central-1.compute.internal50670-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000018867Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:47:13.496{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F8842E586A4554AB99DA256992AC91E,SHA256=4A3DE5E5A7156822D5DDB2AE67797F1CBE5A98FEDDBF34ACD92111C83C255586,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034891Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:47:13.030{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2E69456511C14C4A55B3838970A102C,SHA256=A99F2F1147A54E658821647BCD9994500E9190117384ABDE74C73B654EFBB02F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018869Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:47:14.496{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CDA43BD3B33CC65FF067F4986C840C8,SHA256=3480240076D4C30301EE2F0A6A3C63F3AA64D02F4899CDB6CB4E2E2D08858E68,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034893Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:47:11.722{6EDEAD03-FCC6-615B-DD00-00000000FB01}2220C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-676.attackrange.local52446-false10.0.1.12-8000- 23542300x800000000000000034892Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:47:14.061{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39C689368BBDFA03320BAC3DE5480F2A,SHA256=7A1F2B0BFBE14373DDAF67F3850ABF2A1C9CF6259F265C31CD4ADAB19EC306C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018870Microsoft-Windows-Sysmon/Operationalwin-host-340-2021-10-05 08:47:15.511{49C67628-FE75-615B-DA00-00000000FC01}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22608F3091BCE5E9A392E6F4692A6FF7,SHA256=A72554EE3B90E1D93DC094456551705803E308EB20C0D0B69ED507A11A798012,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034894Microsoft-Windows-Sysmon/Operationalwin-dc-676.attackrange.local-2021-10-05 08:47:15.077{6EDEAD03-FCCC-615B-E600-00000000FB01}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6045CE8ED557B901C8DC3E7E6AEAC53,SHA256=A81909EC30CC21B6111737B18FCE55D413B26EB4BEA861BFBC5B338581894FE8,IMPHASH=00000000000000000000000000000000falsetrue